Researcher Profile


Me


drs's Statistics

Challenges Complete: 0

Write-ups: 1

Tutorials: 0

More Writeups from drs


$5000 Apache /server-status page

Posted on 2019-04-19
Program:   Unknown
Priority:   None specified

Hello all,

This is my first write-up, also my 50th bug found on Bugcrowd. Hope you'll enjoy it as much as I did finding this. It is an extremely simple yet critical bug that I found while searching on a target. The application used requests in the background that contained token in the URL, eg: GET https://www.bugbountynotes.com/user/me?token=abc HTTP/1.1 which displayed the currently authenticated users data.

The app was running on Apache and was vulnerable to a Host-Header injection attack.

Accessing the Apache /server-status page was this simple:

GET /server-status HTTP/1.1
Host:localhost

By changing the host header to localhost I was able to access /server-status and see the current requests handled by the server. There is an option in mod_status called SeeRequestTail (is off by default) which means only the first 63 characters of a request are being displayed in /server-status, luckily the tokens and the exact endpoints were not that long - they fit in the 63 character restriction - so I was able to steal the tokens, which were critical part of the application hence the generous bounty.

Reading /server-status alone might not be considered a vulnerability in every case, but this was a special one because the token handling of the application.