Securing the data server against host header injection vulnerabilities

To prevent host header injection attacks, the data server allows sessions to be established only with clients (usually by using the data server admin interface) that use specific host names or IP addresses in the URLs used to connect to the data server. These allowed hosts can be determined automatically by the system and provided in a configuration file.

About this task

By default, the data server attempts to determine both the primary host name and the primary IP address. If the default configuration is not modified, these are the only references to the data server that work in the URLs that a client uses to establish a session with the data server. Check the AppServer.out file in the /deepfs/config directory to see which hosts are allowed. The contents of the file might look like this example:
*** RESTART ***

Wed Jun 19 21:15:57 UTC 2019

getAllowedHosts: ['198.51.100.0', 'storediq-ds1']

The data server lists the allowed hosts, in this case 198.51.100.0 and storediq-ds1, that can be used by clients. In general, two default hosts are automatically determined by the data server on startup: the primary IP address (198.51.100.0) and the primary host name (storediq-ds1). In addition, one or more hosts that represent the local data server system might also be automatically determined, for example, the localhost IP address of 127.0.0.1.

Often the default hosts are not sufficient, and host names need to be added to the system to allow clients to use those host names in their URLs. To do so, modify the settings.py file in the /usr/lib/python2.6/site-packages/deepfile/ui/djangoweb with a list of allowed hosts to add.

Procedure

  1. Using an SSH tool, log in to the data server as root or as a user with sudo access.
  2. Go to the /usr/lib/python2.6/site-packages/deepfile/ui/djangoweb directory.
  3. Back up the settings.py file located in this directory.
  4. Edit the settings.py file.
    1. Locate the line that starts with ALLOWED HOSTS.
      This line is usually within the first 15 lines:
      ALLOWED_HOSTS = getAllowedHosts()
    2. To provide an extra allowed host, insert it into the ALLOWED_HOSTS line as follows: 
      ALLOWED_HOSTS = getAllowedHosts(‘dataserver’)
      Thus, the dataserver host is added to the allowed hosts when the AppServer service is restarted.
    3. To provide more than one allowed host, add them in the same way, separating each with a comma: 
      ALLOWED_HOSTS = getAllowedHosts(‘dataserver’, ‘myds’)
  5. Save the settings.py file.
  6. Restart the AppServer service to pick up the new configuration by running the following command: 
    monit restart AppServer -c /etc/deepfile/monitrc
    The AppServer restart takes a little while. You can monitor the progress by using the following command:
    monit summary AppServer -c /etc/deepfile/monitrc

    The AppServer service must be restarted for any changes in settings.py to take effect.

Results

After a restart with the modified ALLOWED_HOSTS line (as in the example), the output in AppServer.out might look like this:
*** RESTART ***

Wed Jun 19 21:25:37 UTC 2019

getAllowedHosts: getAllowedHosts: ['198.51.100.0', 'dataserver', 'myds', 'storediq-ds1']

This security approach means that URLs employed in browsers to access the data server user interface must use one of the allowed IP addresses or host names listed in the AppServer.out file when the AppServer service initializes. If a client attempts to establish a session using a host name or IP address that was not automatically determined or specified in the ALLOW_HOSTS line of settings.py, the session request is rejected.

Example

A user tries to access the data server admin user interface used in these examples with this URL: https://storediq-dataserver/login

Provided the host name storediq-dataserver is resolved to the data server system (either through DNS resolution or an entry in the client system’s hosts file), the user is presented with the login page as usual. However, the login attempt results in the following error message:
Unhandled Exception
An unhandled exception was thrown by the application.

This is because storediq-dataserver is not an allowed host. If they instead use the URL https://storediq-ds1/login, the login is processed in the normal way and access should be granted to the data server admin user interface provided suitable credentials are supplied.