Last active
February 13, 2024 14:00
-
-
Save TJetnipat/02b3854543b7ec95d54a8de811f2e8ae to your computer and use it in GitHub Desktop.
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a HTTP "Host" request header.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Vulnerability: Host Header Injection | |
| Product: Plesk Obsidian | |
| Version: 18.0.49 and below | |
| Tools: | |
| Burp Suite | |
| Mozilla Firefox (as a browser) | |
| Scenario: Attacker could redirect users login page to malicious login page by inject a payload directly into the “Host: ” HTTP request header. | |
| Steps: | |
| 1. Access the target website (which Plesk installed) without URL path. | |
| 2. Intercept “login.php” request and Modify the “Host: ” HTTP request header value to malicious website. In this case -> attacker.com and then forward the edited request. | |
| 3. The target website will redirect to “https://attacker.com/login_up.php” instead of “https:<target>/login.php”. | |
| More step by step screanshot and PoC video: | |
| https://medium.com/@jetnipat.tho/cve-2023-24044-10e48ab940d8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What the fak? how can you attacker user?