Server-Side Request Forgery (SSRF) through Host header injection occurs when attackers use unauthorized malicious Host headers and manipulate server-side requests to redirect traffic, bypass access controls, or exploit server behavior.
You can fix this issue by dynamically allowing only trusted Host headers (IP address or hostname) by denying unauthorized requests to prevent exploitation of SSRF and Host Header Injection vulnerabilities.
For authorized requests, RewriteCond ensures that the Host header request matches the accepted entries.
For unauthorized requests, RewriteRule denies the Host header request with a 403 Forbidden response (F) and stops further rule processing (L).
To resolve the SSRF vulnerability issues, perform the following steps:
In the terminal window, locate /opt/novell/oes-install/util/fixHeaderInjectionVhost.py file.
Execute python3 /opt/novell/oes-install/util/fixHeaderInjectionVhost.py
The script dynamically updates the /etc/apache2/vhosts.d/vhost-ssl.conf Apache SSL virtual host configuration file with the IP address and hostname.
RewriteCond %{HTTP_HOST} !^(<server-ip>|<server-hostname>|127\.0\.0\.1|localhost)$ [NC]
RewriteRule ^ - [F,L]
<server-ip>: IP address of the primary server.
<server-hostname>: FQDN of the server.
127.0.0.1 (local server): Loopback IP address for localhost.
Localhost: Default local hostname.
Restart Apache service to apply the changes.
systemctl restart apache2.service
NOTE:To add additional IP address or hostname, it must be manually added to /etc/apache2/vhosts.d/vhost-ssl.conf Apache configuration file.
RewriteCond %{HTTP_HOST} !^(<server-ip>|<server-hostname>|127\.0\.0\.1|localhost|additional-ip|additional-hostname)$ [NC]
Apache service must be restarted to apply the changes.