If I have a domain www.mysite.com, and I am making a request to www.mysite.com on port 80 using telnet, but I send a host header with another domain name(www.wrong-domain.com), but the server doesn't correctly verify if the host header contains it's own domain, and initiates a redirect response with Location header set to the user supplied domain from the "host" header.
Can this lead to any specific attack scenario because of this?
I am not looking at HTTP splitting type of attack, since the server is not vulnerable to it, but can this lead to other kinds of attacks? My first thought was something like redirect amplification, similar to dns amplification, but that doesn't look like possible.
Below is the output from the telnet. The server doesn't verify if the host header contains its own domain, and uses it to create the Location header in the response.
P.S.: The site is not vulnerable to HTTP splitting attacks.
telnet www.mysite.com 80 GET / HTTP/1.1 host: www.wrong-domain.com
HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 UTC Location: https://www.wrong-domain.com/ Content-Length: 0 Date: Sun, 11 Jan 2015 15:57:26 GMT