"HTTP Header Injection Vulnerability (http-generic-script-header-injection)" issue

how to fix "HTTP Header Injection Vulnerability (http-generic-script-header-injection)" issue on Vmware ESXi 6.0 host  ?
kwongluk_pangAsked:
Who is Participating?
 
Zephyr ICTCloud ArchitectCommented:
Hi,

Are you talking about this vulnerability? It isn't valid anymore for ESXi 6.0 (or vCenter to be more precise)...

Or are you talking about something else? What exactly if you are, can you be a little more specific, do you have a reference?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I would have to agree, you should not be concerned.
0
 
gheistCommented:
-generic- means that you need to check manually IF there is any vulnerability.
If you look in OWASP this text means unmodified text from any part of post was returned into page.
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
kwongluk_pangAuthor Commented:
Yes it is a security vulnerabilities.
Our auditor use the tool to scan our ESXi6.0 Host and found "HTTP Header Injection Vulnerability (http-generic-script-header-injection)" vulnerabilities.
how to fix this issue as we need to give answer to our external auditor? any way to fix this issue? is it a know issue? any vmware article said we can ignore the above security vulnerability ?
0
 
gheistCommented:
He has to demonstrate that it is exploitable - that header appears on web page unfiltered.
Like example URL...
0
 
Zephyr ICTCloud ArchitectCommented:
Like geist mentions, it's a possible vulnerability but the auditor needs to proof it. You can show the auditor the link I gave in my first post. At this time of writing there is no known vulnerability of http response splitting for ESXi 6.0
0
 
gheistCommented:
Would be nice to hear about scanner you used and some OWASP or similar reference of vulnerability.
e.g. https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Since it says GENERIC i'd say that scanner found a script that sets headers (e.g. cookies) and the place where they are parsed should be tested further like any other post field.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If you are unsure, log a support call with VMware Support, for external verification from the vendor of the software for your Auditor.
0
 
kwongluk_pangAuthor Commented:

VA Scanner Tool : Nexpose from Rapid7 LLC


Injected into the "P" URL parameter (Using method GET) in
https://10.xx.xx.xx/en/?P=+ADw-script+AD4-alert(42)+ADw-/script+AD4- by
changing the URL to
https://10.xx.xx.xx/en/?P=%0d%0arapid7:%20injected_value
5: HTTP/1.1 303 See Other
6: Connection: close
7: Location: /en/?P=
8: Date: Thu, 23 Apr 2015 04:46:59 GMT
5: rapid7: injected_value/
0
 
kwongluk_pangAuthor Commented:

Will disable the Managed Object Browser (MOB) fix the above vulnerability issue?

0
 
gheistCommented:
No idea. Please contact vmware support AFTER you confirm the vulnerability.
0
 
Zephyr ICTCloud ArchitectCommented:
I don't think that would do anything, besides, the MOB should be disabled by default, if it isn't you can disable it of course.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.