[sjustinas]

What an awful disclosure.

> <...>an elevation of privilege vulnerability exists when a ASP.NET Core web application fails to validate web requests correctly.

Fails to mention what "validating a request correctly" means. Recommends to limit allowed Host header values as a mitigation, but does not say what values are safe to accept. Example.com? localhost? 127.0.0.1? covfefe?

[SideburnsOfDoom]

> What an awful disclosure. Fails to mention what "validating a request correctly" means.

Click one link, the first one in the main page text, scroll down, and you're here (1)

> Q: Are there any more details on what "fails to validate web requests correctly" means and/or a PoC for this?

> A: No. We don’t publish more details or PoCs.

This seems entirely deliberate and unsurprising on day 1 when few have applied the patch yet, and is therefore not "awful".

1) https://github.com/aspnet/Home/issues/2954#issuecomment-3728...

[duozerk]

Actually and if you're against full disclosure it's the exact reverse of "awful".

[SideburnsOfDoom]

I'm in favour of full disclosure ... eventually. Today does not seem like the right time for that yet.

[gtsteve]

Host header attacks aren't exactly new [0]. However it seems that this is deliberately vague to prevent people from exploiting it whilst systems are patched. I note that the CVE details [1] are not yet available, so perhaps the actual issue is a bit more complex.

[0] https://www.acunetix.com/blog/articles/automated-detection-o...

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0787

[j0hnml]

Yeah, and it sounds more like RCE than a privilege escalation vulnerability. I wonder if there deliberately being brief and misleading about it to prevent attacks.

[yread]

Hopefully Mr. Shcherbakov will provide more details