Check Point Advisories

Security Best Practice: Get Yourself Familiar with the Header Rejection Tool

Check Point Reference:	SBP-2008-07
Date Published:	25 May 2008
Severity:	High
Last Updated:	Tuesday 01 January, 2008
Source:	SmartDefense Research Center
Protection Provided by:
Who is Vulnerable?	HTTP Servers & Clients
Vulnerability Description	Web servers and applications parse not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Some exploits use the HTTP headers to cause damage. The exploit can be carried in standard headers (the Host header for example) with custom values, or in custom headers. Such attacks can be blocked using signatures that are defined using regular expressions. Web Intelligence can provide protection against many HTTP threats, including preventing attacks that run malicious code on web servers or clients. SmartDefense allows Administrators to configure signatures that will be detected and blocked by Gateways. The SmartDefense subscription service regularly updates signature patterns for common malware. In addition, an Administrator can define custom header rejection patterns.
Vulnerability Details	The Web Intelligence?s Header Rejection tool can: Detect and block various programs and malware based on pre-defined header names. Be updated for new patterns, manually or automatically (through the SmartDefense subscription service).