Citrix XenMobile Server HTTP Host Header Injection

Solutionary ID: SERT-VDN-1020

Risk Rating: Medium

CVE ID: CVE-2016-6877

Product: Citrix XenMobile Server 10.3.6.310

Application Vendor: Citrix

Vendor URL: https://www.citrix.com

Date discovered: 07/20/2016

Discovered by: Michael Born and Will Caput

Vendor notification date: 08/19/2016

Vendor response date: 08/23/2016

Vendor acknowledgment date: 09/07/2016

Public disclosure date: 03/09/2017

Type of vulnerability: HTTP Host Header Injection

Exploit Vectors: Remote

Vulnerability Description: Citrix XenMobile Server is vulnerable to an HTTP Host header injection/poisoning attack when a cached version of a web page is being requested. The vulnerability lies in the lack of input validation for the HTTP Host header value after a user’s browser has already been convinced of the host. A malicious attacker can convince a user to navigate to a cached page, using a Man in the Middle attack the attacker can replace the HTTP Host header value before sending the request to the application server. This results in a HTTP 302 redirect to the injected URL.

Tested on: XenMobile

Affected software versions: XenMobile Server Version 10.3.6.310

Impact: Successful exploitation results in the user being redirected to a malicious application server.

Fixed in: XenMobile Server 10.5.0.24

Remediation guidelines: Please update to the latest version of the Citrix XenMobile Server.