Host Header Injection allowing web cache poisoning attacks

Vulnerability

The Secomea GateManager web server fails to sanitize the Host header value when echoing it in responses. This allows an attacker to inject arbitrary content into the response, which can be cached by forward or reverse proxies. All versions prior to 9.3 are affected [1].

Exploitation

An attacker sends a crafted HTTP request with a malicious Host header to the GateManager web server. The server includes this value unsanitized in the response. An intermediary cache proxy that does not validate the Host header will store this response, poisoning the cache for subsequent users who request the same resource [1].

Impact

Successful exploitation leads to cache poisoning, where subsequent users receive the attacker-controlled response instead of the legitimate one. This can result in information disclosure, redirection to malicious sites, or serving of attacker-controlled content, potentially compromising the victim's session or data [1].

Mitigation

Secomea released GateManager version 9.3 to fix this vulnerability. Users should upgrade to 9.3 or later. No workarounds have been disclosed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].