About Host header attack

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
shawnhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue Jan 22, 2013 3:37 am
Location: Taiwan, a democratic country

About Host header attack

Post by shawnhy » Tue Aug 14, 2018 5:46 am

First at all, I acknowledge that I don't have latest joomla! installed. My running system is 3.8.8. AWVS(acknowledge) scanner reports a host attack risk. (https://www.acunetix.com/vulnerabilitie ... der-attack). I was wondering if there is a reliable way to get rid of this warning? Or probably Joomla! team has solved this potential issue?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: About Host header attack

Post by mandville » Tue Aug 14, 2018 7:03 am

Update then 're run the scan .
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

shawnhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue Jan 22, 2013 3:37 am
Location: Taiwan, a democratic country

Re: About Host header attack

Post by shawnhy » Wed Aug 15, 2018 12:58 am

Unfortunately, Updating to the latest version did not solve this problem.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14689
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: About Host header attack

Post by mandville » Wed Aug 15, 2018 2:00 am

run the fpa, contact your scanner provider for a full report, post your report here
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19044
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: About Host header attack

Post by leolam » Wed Aug 15, 2018 3:53 am

shawnhy wrote:
Tue Aug 14, 2018 5:46 am
Or probably Joomla! team has solved this potential issue?
If you do not post a link to your website we cannot verify if this is not (like usual with these kind of claims) that this is a false positive. Please provide the link so we can double check

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

shawnhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue Jan 22, 2013 3:37 am
Location: Taiwan, a democratic country

Re: About Host header attack

Post by shawnhy » Wed Aug 15, 2018 7:32 am

@leoiam coz of some reasons I cannot public the link here. Do you mind if I send you a pm? I represent the weakness and we can pollute header values
http://imgur.com/Pe17oZX

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35248
Joined: Sat Apr 05, 2008 9:58 pm

Re: About Host header attack

Post by Webdongle » Wed Aug 15, 2018 9:19 am

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

shawnhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue Jan 22, 2013 3:37 am
Location: Taiwan, a democratic country

Re: About Host header attack

Post by shawnhy » Wed Aug 15, 2018 10:44 am

@Webdongle,
Thank you fore replying. My site is not hacked. I was discussing an issue reported by Vulnerability Scanner. Probable it's less than a threat, but since it has been told, I'd like to know more about it.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19044
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: About Host header attack

Post by leolam » Wed Aug 15, 2018 5:53 pm

shawnhy wrote:
Wed Aug 15, 2018 7:32 am
Do you mind if I send you a pm?
yes I do mind. Forum support happens in the open field. Private support = paid support

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5520
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: About Host header attack

Post by sozzled » Wed Aug 15, 2018 6:24 pm

shawnhy wrote:
Tue Aug 14, 2018 5:46 am
First at all, I acknowledge that I don't have latest joomla! installed. My running system is 3.8.8.
That's your choice and you will have to own any problems pursuant to that choice.

shawnhy wrote:
Tue Aug 14, 2018 5:46 am
AWVS(acknowledge) scanner reports a host attack risk. (https://www.acunetix.com/vulnerabilitie ... der-attack).
That's your choice use this service. I don't know anything about the reputation of the service. It may be a reputable service or it may be not worth the expense of using it; I wouldn't know. I have little faith in iron-clad, rock-solid, guaranteed/money-back-if-unsatisfied promises from any anti-virus/malware scanning service; these services may be able detect problems just as they can also give false signals that problems actually exist.

shawnhy wrote:
Tue Aug 14, 2018 5:46 am
I was wondering if there is a reliable way to get rid of this warning?
The best way to get rid of this warning is to not use that scanning service.

shawnhy wrote:
Tue Aug 14, 2018 5:46 am
Or probably Joomla! team has solved this potential issue?
If, perhaps, you had maintained your website software and you were using J! 3.8.11, you could test Joomla! against the AWVS service, using a couple of different hosting platforms, to see what AWVS says about Joomla and the "potential issue(s)" you're describing.

I'm inclined to agree with @mandville that, without any supporting evidence, it's probably a false positive.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?


Post Reply

Return to “Security in Joomla! 3.x”