Question

2
Replies
1333
Views
GPARKS952 Member since 2014 5 posts
Unitedhealth Group, Inc.
Posted: August 25, 2016
Last activity: August 30, 2016
Closed

Host HTTP Header(s) and X-Forwarded-Host in PRPC 7.1.8

Does Pega use these, or expect these headers to have certain values?  I think not based on what I'm getting from our security team, but what can I/should I do about it?

 

We had a whitehat scan of our application; the team reports that it's possible to inject Host [HTTP] header and X-Forwarded-Host and Pega is passing these back unmodified, which is a vulnerability for attack.

 

So, does Pega use these?  I note that in 7.2.1, X-Forwarded-* will "replace" ContextRewriteEnabled mechanism for generating absolute URLs; but can I just (for now) disable these?

How would I do that?  Is this an application server setting, or web server, or what?  (We have an F5 fronting IHS web server, and Websphere Application Server [8.5, if I recall, but I'm not sure the version]; so what config do I need to change?)

 

Or, is Pega using these, and if so, how are bad values being passed thru??

***Updated by Moderator: Marissa to update categories***

 

Security
Moderation Team has archived post
Share this page LinkedIn