Vulnerability in Blackberry portal.
An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="https://_SERVER['HOST']" (Blackberry)
An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.Below are some attacks that can be triggered
- Web Cache Poisoning
- Firewall/IPS/IDS evasion
- Forward vs. backward HRS
- Request Hijacking
- Request Credential Hijacking
Proof of Concept:
The document has moved
Proof of poisoning cache server.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<title>503 Service Unavailable</title>
<h1>Error 503 Service Unavailable</h1>
<p>Varnish cache server</p>
Mentioned in Acknowledgements: