Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: January 3, 2022
OverviewIn Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.
DetailsUserfrosting is vulnerable to Host Header Injection. When an attacker requests for a forgotten password using the victim email id, the host header value in the request is modified to the attacker's address. After successful submission of the request, the victim receives an email with a password reset link that actually contains the attacker's address as the base URL. When the victim clicks on the link, the password reset token will be sent to the attacker's address and using it the attacker could reset the password of the victim and take over the account.
PoC DetailsStart a python server on port 8000.
Go to the `/account/forgot-password` endpoint and enter the victim’s email address for reset.
Intercept the request with a proxy, and change the `Host` value to the attacker domain port 8000, where the python server is listening. Now forward the request.
As the victim, check the email and open the reset link received.
The server will now log the request made by the victim that was meant to be sent to the vulnerable site. The request is for the `set-password` endpoint, with the reset token included.
As an attacker, go to the endpoint requested by the victim, and change the password to a new one.
You are now logged in as the victim.
Affected Environmentsv0.3.1 through v4.6.2
PreventionUpdate to Userfrosting v4.6.3
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|