Trend Micro OfficeScan 11.0/XG (12.0) - Host Header Injection Vulnerability

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt
[+] ISR: ApparitionSec            
  
 
 
Vendor:
==================
www.trendmicro.com
 
 
 
Product:
========
OfficeScan 
v11.0 and XG (12.0)*
 
 
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
 
 
 
Vulnerability Type:
===================
Host Header Injection
 
 
 
CVE Reference:
==============
CVE-2017-14087
 
 
 
Security Issue:
================
Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME'].
In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary
links that point to a malicious website.
 
 
Exploit/POC:
=============
 
c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP"

#  0day.today [2018-01-06]  #