You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The doc says:
"You can visit http://127.0.0.1:8080/rewrite-status (or whatever the address of your local webapp and context) to see output (note: this page is only viewable from localhost)."
But if the http request Host field is changed to localhost or 127.0.0.1, the
http://<remote server IP>:<server port>/rewrite-status
can be accessed and show the rewritor configurations.
The request.getServerName() will return the Host field value which can be changed by attacker.
The text was updated successfully, but these errors were encountered:
The doc says:
"You can visit http://127.0.0.1:8080/rewrite-status (or whatever the address of your local webapp and context) to see output (note: this page is only viewable from localhost)."
But if the http request Host field is changed to localhost or 127.0.0.1, the
http://<remote server IP>:<server port>/rewrite-statuscan be accessed and show the rewritor configurations.
The request.getServerName() will return the Host field value which can be changed by attacker.
The text was updated successfully, but these errors were encountered: