Summary
Using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account.
This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers.
Mitigation
We strongly recommend all users to update to the latest version which includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails (https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization) to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname.
Releases
OpenProject version 14.3.0
contains additional measures to protect against Host header injections from within the application.
Workaround
For users who aren't able to upgrade immediately, please use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in your proxying application before reaching the application server of OpenProject.
Alternatively, you can use this patch to opt-in to host header protections in previous versions of OpenProject (>= 12.0)
host-protection.patch
Credits
This vulnerability was responsibly disclosed by Robin Webber of Harvard University. We are grateful for their diligence and commitment to ensuring the security of our application.
wrobind Reporter
Summary
Using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account.
This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers.
Mitigation
We strongly recommend all users to update to the latest version which includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails (https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization) to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname.
Releases
OpenProject version 14.3.0
contains additional measures to protect against Host header injections from within the application.
Workaround
For users who aren't able to upgrade immediately, please use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in your proxying application before reaching the application server of OpenProject.
Alternatively, you can use this patch to opt-in to host header protections in previous versions of OpenProject (>= 12.0)
host-protection.patch
Credits
This vulnerability was responsibly disclosed by Robin Webber of Harvard University. We are grateful for their diligence and commitment to ensuring the security of our application.