How to fix the Host Header Injection vulnerability?

arunkumar.chinna 2020-11-26 16:20:33 UTC #1

IMPORTANT, please fill the questions

We assume you are using Bitnami to deploy your application.

Which version of the application are you using?: LMS 3.9.2-11
Please choose how you got the application: Installer (Windows, Linux, macOS), cloud image (AWS, GCE, Azure, ...) or VM (VMDK, VBOX): AWS
Have you installed any plugin or modified any configuration file?: No
Describe here your question/suggestion/issue (expected and actual results): How to fix the Host Header Injection vulnerability
Steps to reproduce the issue (if relevant):
Copy the apache log (if relevant):
```
PASTE HERE
```

davidg 2020-11-27 08:39:53 UTC #2

Hello @arunkumar.chinna,

I think this post could help:

Regards

arunkumar.chinna 2020-11-27 09:05:50 UTC #3

Hello @davidg,

Thank you for sharing the post.

How to check whether URL is absolute in Moodle Stack.
I have implemented using Approach A.
Is there any document to implement Host Header Validation and settings to protect absolute URLs.

arunkumar.chinna 2020-11-27 09:10:25 UTC #4

Hello @davidg,

Also have another question related to this,

Can we do changes in Apache configuration to avoid common web vulnerabilities in Moodle.
Will changes to the Apache configuration file impact Moodle configuration ?

davidg 2020-11-30 10:36:10 UTC #5

Hello @arunkumar.chinna,

We don't have related documentation.

You can change your Apache as necessary for your case. Bitnami offers a default configuration ready to run, but you may need to adapt it to your requirements. My suggestion is to create a backup before those changes in case you need to recover a previous configuration:
https://docs.bitnami.com/aws/apps/moodle/administration/backup-restore/

Regards

arunkumar.chinna 2020-12-04 10:44:38 UTC #6

Thank you for sharing the information.

system 2020-12-18 10:44:54 UTC #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!