Missing Validation checks in Filr HTTP Host headers

  • 7021148
  • 31-Jul-2017
  • 26-Mar-2018

Environment

Micro Focus Filr 3

Situation

The HOST header in the HTTP request does not have a validation check to ensure that the header points to the host that the URL is being sent to. Without a validation check, an attempt to redirect a URL to a malicious website can be made.

Resolution

An updated fix for this issue is available in the Filr 3.3.2 Update. With the fix in place, validation of the HTTP HOST header will be enforced which nullifies any attempt of redirecting a URL to a malicious website.

How To Enable HOST header validation in Filr 3.3.2 (or newer):
The Host header validation is disabled by default after applying the Filr 3.3.2 (or newer) Update. A command-line java utility is provided to enable HOST header validation and configure which domain(s) are allowed to access Filr in your Filr deployment. Follow these steps to enable HOST header validation for your Filr site:

  1. Check and make sure you are running Filr 3.3.2 (or newer).
  2. Download the java utility zip file from here
  3. If SSH is not running, login to the Filr Appliance Config (https://hostname:9443) and Start SSH from System Services.
  4. Using a SSH/SFTP client such as Bitvise SSH or WinSCP remote login to the Filr appliance as user "root" and upload the zip file downloaded in step (2) to the appliance.
  5. Unzip the java utility using command: unzip FilrHostHeaderValidation.zip and change directory to the FilrHostHeaderValidation folder.
  6. Execute the utility using command: java -jar HostHeaderValidation.jar
  7. Select from the menu:
    1 : Enable  Host Header Validation
    2 : Disable Host Header Validation
    3 : Display the current setting
    4 : Quit

    Enter 1 to Enable Host Header Validation Or Modify the allowed domains.
    You will be prompted to Enter the complete list of trusted domains separated by comma without space:
    Enter all the domains that can be used to access your Filr site. For example: filr.exampledomain1.com,filr.exampledomain2.com

    Enter 2 to Disable Host Header Validation.

    Enter 3 to Display the current status and allowed domains.

    Enter 4 to Quit.

  8. You must restart the Filr service for the changes to take effect.
  9. Remember to Stop SSH, login to the Filr Appliance Config (https://hostname:9443) and Stop SSH from System Services.
  10. If your Filr deployment has more than 1 Filr application servers, repeat steps 1-9 on all of them.