Summary

Security researcher Bobrov uncovered a potent combination of vulnerabilities in multiple live Discourse instances including those of Mozilla NextCloud and others. The core issue? An XSS vulnerability via the X-Forwarded-Host header amplified by Web Cache Deception enabling an attacker to persist the malicious payload for other users.

This clever exploitation of a cache + header based injection earned bobrov a $256 bounty and is a great example of how small misconfigurations can escalate into serious cross instance vulnerabilities.

Understanding the Vulnerability

Discourse an open source forum platform loads fonts with preloading and caching techniques that utilize the host’s domain in the URL. It uses a partial ERB template:

<% woff2_url = "#{asset_path("fontawesome-webfont.woff2")}?#{font_domain}&v=4.7.0".html_safe %>
<link rel="preload" href="<%= woff2_url %>" as="font" type="font/woff2" crossorigin />

If you inject a payload inside the X-Forwarded-Host header (used for reverse proxy headers) and that header is unsanitized in the HTML you…