CVE-2024-29643
📋 TL;DR
This vulnerability allows attackers to perform Host header injection in Croogo v3.0.2 via the feed.rss component. Attackers can manipulate HTTP Host headers to redirect users to malicious sites, perform cache poisoning, or conduct phishing attacks. Only Croogo v3.0.2 installations with the feed.rss component accessible are affected.
💻 Affected Systems
- Croogo
📦 What is this software?
Croogo by Croogo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect all users to malicious sites, steal credentials via phishing, poison web caches to serve malicious content, or bypass authentication mechanisms.
Likely Case
Attackers redirect users to phishing sites to steal credentials or session tokens, potentially leading to account compromise.
If Mitigated
With proper input validation and Host header verification, impact is limited to failed injection attempts with no successful exploitation.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests with malicious Host headers to the feed.rss endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.0.3 or later
Vendor Advisory: https://github.com/croogo/croogo/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download Croogo v3.0.3 or later from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing Host header injection attempts.
🔧 Temporary Workarounds
Web Server Host Header Validation
allConfigure web server to validate and restrict Host headers
# For Apache: Set UseCanonicalName On in httpd.conf
# For Nginx: Set server_name directive with valid hosts
Disable feed.rss Component
allTemporarily disable or restrict access to the vulnerable feed.rss component
# Add access restrictions in .htaccess or web server config
Deny from all
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious Host headers
- Restrict network access to Croogo installation to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to /feed.rss with malicious Host header and check if server processes it improperlyCheck Version:
Check Croogo version in admin panel or examine composer.json fileVerify Fix Applied:
Attempt Host header injection after patching; requests with malicious Host headers should be rejected📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in access logs
- Multiple requests to feed.rss with varying Host headers
Network Indicators:
- HTTP requests with suspicious Host headers to feed.rss endpoint
- Unexpected redirects from Croogo installation
SIEM Query:
source="web_logs" AND uri="/feed.rss" AND (host_header CONTAINS "malicious" OR host_header NOT IN ["expected-domain.com"])