Troubleshooting
Problem
Security scans may report HTTP header injection issues against Information Server.
Symptom
A Security scan has reported an HTTP header injection issue against Information Server.
Cause
Configuration settings in WebSphere
Environment
Information Server installations at any release level, with stand-alone or clustered WebSphere
Diagnosing The Problem
The Scan report may indicate an Error 302 was reported after host header injection.
Resolving The Problem
See WebSphere Application Server information on Security Hardening which provides specific instructions that must be followed to harden production environments.
In the WebSphere Administration console:
- Navigate to Environment twisty-> Virtual Hosts ->Hosts -> default host -> Host Aliases
- Replace “*” with the hostname and select the ports that will be part of this virtual host.
For example, ports 9080, 80, 9443, 5060, 5061, 443, 9081, 9444.
Any subsequent attempt of Host header injection using your specific host name will result in 404 Not Found errors, and redirection to the injected host will not occur.
If for any reason, the above steps do not work, see http://publib.boulder.ibm.com/httpserv/ihsdiag/examples.html#unknownhost for alternative steps from the IBM HTTP Server team.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.7;11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
08 August 2022
UID
ibm15695167