Host header hijack and redirected to an external domain

book

Article ID: 222071

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

The Burp Suite application can hijack a user session URL, allowing the modification of the host header in the HTTP request.

This results in the application generating "links" towards a domain external to the page (domain controlled by the attacker)

Cause

This is a Apache Tomcat vulnerability

Environment

Release : 15.9.1

Component : CLARITY SECURITY INTEGRATION

Resolution

Please modify the Apache Tomcat server.xml in the Conf directory

From

<Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>

 

to :

 

<Host name="servername"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

  <Alias>servername.broadcom.com</Alias>

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="servername_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>

The servername will be your server host name and the servername.broadcom.com will be the FQSN.