A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a HTTP "Host" request header.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Vulnerability: Host Header Injection | |
| Product: Plesk Obsidian | |
| Version: 18.0.49 and below | |
| Tools: | |
| Burp Suite | |
| Mozilla Firefox (as a browser) | |
| Scenario: Attacker could redirect users login page to malicious login page by inject a payload directly into the “Host: ” HTTP request header. | |
| Steps: | |
| 1. Access the target website (which Plesk installed) without URL path. | |
| 2. Intercept “login.php” request and Modify the “Host: ” HTTP request header value to malicious website. In this case -> attacker.com and then forward the edited request. | |
| 3. The target website will redirect to “https://attacker.com/login_up.php” instead of “https:<target>/login.php”. | |
| More step by step screanshot and PoC video: | |
| https://medium.com/@jetnipat.tho/cve-2023-24044-10e48ab940d8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment