UTM - Redirection via Arbitrary Host Header Manipulation ?

Question

Hi, A customer of ours has had PCIDSS check done and failed, the report came back with the following but not sure what to do. They only have one website behind the firewall, exchange owa. Looking at the details, its referring to the UTM as the Host OS isnt Microsoft. The user portal is disabled too. Any advice or comments would be really useful and thanks in advance Category Web Application CVE - CVSS base score 6.4 Description Redirection via Arbitrary Host Header Manipulation Host REMOVED Threat - Impact - Solution - PCI compliant No PCI details - Reason The vulnerability is not included in the NVD. PCI severity medium Port 443 / tcp Host name No registered hostname Host OS EulerOS / Ubuntu / Fedora / Tiny Core Linux / Linux 3.x / IBM / FortiSOAR Result url: https://REMOVED/eup comment: Redirection via Arbitrary Host Header Manipulation found at PORT : 443 matched: val'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:; X-Webkit-CSP: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss:; Location: vhb3mss3.qualys.com:10443/.../ Content-Length: 246 Content-Type: text/html; charset=iso-8859-1 301 Moved Permanently

Moved Permanently

The do CVSS Base Score 6.4- AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS Temporal Score 4.7- E:U/RL:W/RC:UC Severity 3 Category Web Application CVE ID Vendor Reference Bugtraq ID Date Updated Sep 5, 2023 Threat The Host header is an HTTP request header that specifies the domain name of the server the client is trying to communicate with. It allows a single web server to host multiple websites by distinguishing between them based on the domain name provided in the Host header. Redirection via Arbitrary Host Header Manipulation is a security vulnerability that occurs when an attacker manipulates the Host header in an HTTP request to inject malicious data. By doing so, the attacker can trick the web server into processing the request as if it were directed to a different domain. This can lead to various types of attacks, such as website defacement, session hijacking, and cross-site scripting (XSS). QID Detection Logic: This QID sends a HTTP request with the payload in the Host header to check if the target is vulnerable. Detection is solely based on redirected response received by the server. At times WAF or reverse proxies may respond on behalf of servers. In such cases, WAF configurations should be validated to identify potential misconfigurations. Impact Attackers can redirect users to malicious content, deface websites, or trick users into disclosing sensitive information through phishing attacks. Solution Implementing proper validation and sanitization of input headers is essential to mitigate the risks of Host header injection. Whitelist domains, only allow permitted domains to be included in Host header.

SGICT · Accepted Answer

So this turned out to be a tricky one with no real good outcome as the PCI DSS scan was being done by an external firm and no means to find out what tools they were using to detect this nor were they willing to help. 
 This is from Sophos Tech Support so even they didnt know why the scan was picking it up because they remoted in and saw there were no WAF rules in place. 
 In a nutshell, disabling WAF was the only way to stop the scan failing - if you are doing this please ensure you are not using WAF. 
 So to do this 
 SSH into the UTM 
 Logon as loginuser 
 su root 
 cd.. cd.. cd etc cd init.d /var/mdw/scripts/reverseproxy stop 
 The command will only stop the service and it'll restart again when the UTM is next rebooted.

UTM - Redirection via Arbitrary Host Header Manipulation ?

Top Replies