EFT: Specify a whitelist of additional domains and IPs to accept in host header

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.4.11 and later

DISCUSSION

The domain (host) values in EFT are automatically accepted when included in host headers. This applies to the Server administrator listening IP(s) on the Server > Administration tab, and all of the listening IPs, IP ranges, and host name in the Domain box on the Site's Connections tab. To add additional trusted domain and IPs, you can create a whitelist in the registry that will apply to all Sites and the Server.

To specify a whitelist of additional, trusted domains and IPs that EFT can accept, create the following registry setting:

HKEY_LOCAL_MACHINE\Software\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: STRING

Value name: AllowedHostHeaderList

Default Value: Allowed host header values are:

  • Site Domain (Connections tab)
  • Site listening IPs

Restart Required: yes

Backup/Restore: yes

  • Multiple values should be comma delimited.
  • If you try to connect to an EFT server with a host header that is not on the list, you will see a 404 error.

When a connection is attempted:

  • If the connecting host header value is in the whitelist, the EFT accepts the host header value.
  • If the connecting host header value is not in the whitelist or a known EFT domain/IP value, the connection is denied, EFT logs a warning to let administrator know about the injection attack. e.g:

    • "WARN HTTP- Access denied for unknown header value: 'desktop-7c01b33'"
Posted 5 Years Ago, Updated 4 Years Ago
https://kb.globalscape.com/Knowledgebase/11430/EFT-Specify-a-whitelist-of-additional-domains-and-IPs-to-accept-in-host-header