4

I just received an error email from my home web-server (It's a low traffic site, and since it's running a Django application I've written myself getting an email on errors helps me find bugs).

Subject: [Django] ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '203.7.2.230 deimos-legion.net'. The domain name provided is not valid according to RFC 1034/1035.

Invalid HTTP_HOST header: '203.7.2.230 deimos-legion.net'. The domain name provided is not valid according to RFC 1034/1035.

The requested URL was /?author=1 (The / page is a simple news page, and doesn't use query parameters, so this couldn't have originated from a link on the page).

The rest of the request specifics are provided below. Anyone have any idea what this request was trying to do / what vulnerability it might have been trying to exploit?

GET:<QueryDict: {u'author': [u'1']}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '',
'CONTENT_TYPE': '',
'DOCUMENT_ROOT': '/var/www',
'HTTP_ACCEPT_ENCODING': 'identity',
'HTTP_CONNECTION': 'close',
'HTTP_HOST': '203.7.2.230 deimos-legion.net',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0',
'PATH_INFO': u'/',
'QUERY_STRING': 'author=1',
'REMOTE_ADDR': '89.248.174.49',
'REMOTE_PORT': '21642',
'REQUEST_METHOD': 'GET',
'REQUEST_URI': '/?author=1',
u'SCRIPT_NAME': u'',
'SERVER_NAME': 'solaris.deimos-legion.net',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.1',

(I suppose the presence of SCRIPT_NAME suggests this is an attempted PHP exploit - I don't think Django uses that value.)

Anders
  • 64,406
  • 24
  • 178
  • 215
Adam Luchjenbroers
  • 143
  • 5

1 Answers1

5

It looks a little like shared cache poisoning attack that leverages HTTP Response Splitting.

This attack works by sending two HTTP Host headers: evil.com and yourhost.com, and exploiting a mismatch in how different subsystems deal with multiple headers.

For example, the Varnish cache would treat the first Host header as true, whereas the nginx web server would use the last one.

I'm guessing you use Apache, which concatenates the Host headers.

A standardization was established in RFC7230 that purports to protect against these attacks:

A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value.

SCRIPT_NAME does not indicate a PHP exploit, it's likely just the initial portion of the application's path in your WSGI.

Community
  • 1
Jedi
  • 3,906
  • 2
  • 24
  • 42