lcg0124 BootDo Host Header Injection Vulnerability in AccessControlFilter

A host header injection vulnerability has been identified in lcg0124 BootDo versions prior to 5ccd963c74058036b466e038cff37de4056c1600. The issue resides in the AccessControlFilter.java file, specifically within the redirectToLogin function. This vulnerability allows for open redirects by manipulating the Host header, which can be exploited remotely. The vulnerability has been publicly disclosed and is available as a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for host header injection, which can be used to manipulate password reset links, redirect users to malicious sites, capture tokens and credentials, escalate privileges within the application, and poison downstream caches, redirecting subsequent visitors to the attacker's server.

Reproduction

To reproduce this vulnerability, send a request to a URL that requires authentication, but without being logged in. The request should include a Host header with a value of your choice, such as 'baidu.com'. The server will respond by redirecting to the login page, but the Host header injection will occur, allowing for potential exploitation.

Remediation

It is recommended to reject unknown or mismatched Host headers, use secure absolute URLs for redirects and password reset links, and enable reverse-proxy validation to overwrite the Host header with the correct internal value before the request reaches the backend.