Legal Hold confirmation server login page: host header emitted directly into page
Article ID: 100032576
Updated On:
Description
Error Message
The application utilizes communication over HTTPS. There are responses that do not make use of HTTP Strict Transport Security (HSTS) which instructs the browser to force all communication over HTTPS to the domain.HSTS can be used to enhance the implementation of transport layer security as it addresses cases such as users manually trying to access the application over HTTP or if the application inadvertently contains HTTP links.
Cause
This issue is difficult to exploit because to change the Host header from its usual value (the name of the http server being browsed to) requires customizing the value on the browser or a proxy, and then the affected user has to use the customized browser or proxy to visit the confirmation page.
Resolution
Veritas Corporation has acknowledged that the above-mentioned issue is present in the version(s) of the product(s) referenced in this article. Veritas Corporation is committed to product quality and satisfied customers.
This issue is currently under investigation by Veritas Corporation. Pending the outcome of the investigation, this issue may be resolved by way of a hotfix or cumulative hotfix in current or future revisions of the software. However, this particular issue is not currently scheduled for any release. If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Veritas Sales representative or the Veritas Sales group to discuss these concerns. For information on how to contact Veritas Sales, please see http://www.Veritas.com .
Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.
This issue is currently under investigation by Veritas Corporation. Pending the outcome of the investigation, this issue may be resolved by way of a hotfix or cumulative hotfix in current or future revisions of the software. However, this particular issue is not currently scheduled for any release. If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Veritas Sales representative or the Veritas Sales group to discuss these concerns. For information on how to contact Veritas Sales, please see http://www.Veritas.com .
Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.
Issue/Introduction
The "Host:" browser header is being echoed back on the hold confirmation page, unsanitized.
Additional Information
JIRA: 44604
Was this article helpful?
Yes
No
Powered by
