Impact
The default ServerName configuration of the all-in-one and docker-compose based Docker containers of OpenProject allow for HOST header injection if they are operated without a proxying web server / load balancer in front of it with a proper ServerName setup.
Operating public facing docker containers is not recommended by OpenProject. The embedded server of the docker containers are not designed to be publicly accessible. Instead, use a proxying or load balancing web server that is bound to your public hostname. If you are using such an external web server, this advisory does not affect you.
Patches
No patch available, see workarounds to properly set up the containers to prevent this behavior. The docker-based installation documentation has been extended to highlight this operation is insecure and not meant for production systems.
Starting with OpenProject 11.3.3., the installation will output a warning when starting the docker container without explicitly setting the SERVER_NAME variable.
Workarounds
- Explicitly set the
SERVER_NAME environment variable to the public facing host name. This results in the embedded Apache web server using a non-default VirtualHost ServerName.
- Use a proxying web server or load balancer that is bound to your public host name. For most production setups with SSL/TLS termination, this will already be the case.
Credits
This security issue was responsibly disclosed by RedHunt Labs, https://redhuntlabs.com/. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.
References
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
For more information
If you have any questions or comments about this advisory:
Impact
The default
ServerNameconfiguration of the all-in-one and docker-compose based Docker containers of OpenProject allow for HOST header injection if they are operated without a proxying web server / load balancer in front of it with a proper ServerName setup.Operating public facing docker containers is not recommended by OpenProject. The embedded server of the docker containers are not designed to be publicly accessible. Instead, use a proxying or load balancing web server that is bound to your public hostname. If you are using such an external web server, this advisory does not affect you.
Patches
No patch available, see workarounds to properly set up the containers to prevent this behavior. The docker-based installation documentation has been extended to highlight this operation is insecure and not meant for production systems.
Starting with OpenProject 11.3.3., the installation will output a warning when starting the docker container without explicitly setting the SERVER_NAME variable.
Workarounds
SERVER_NAMEenvironment variable to the public facing host name. This results in the embedded Apache web server using a non-default VirtualHost ServerName.Credits
This security issue was responsibly disclosed by RedHunt Labs, https://redhuntlabs.com/. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.
References
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
For more information
If you have any questions or comments about this advisory: