Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: June 22, 2022
OverviewIn motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.
DetailsIn motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.
PoC Details1. Start a python server in terminal and listen on port 8000
2. Go to http://0.0.0.0:3000/sign_in and login with a valid user
3. Go to http://0.0.0.0:3000/settings/email and configure SMTP
settings. (also ensure to change current email address to valid
one to receive reset link)
4. Logout of the application.
5. Go back to “Sign in”-> “Forgot password” and enter the email
address to reset password.
6. Intercept in burp and click the button. Don’t change anything
and forward all requests.
7. Go back to the “Forgot password” page and enter the same
email address and intercept the request.
8. This time, remove the Origin header and in Host header,
change host to 0.0.0.0:8000 and forward the request.
9. Copy the reset link received in email and paste in chrome.
10. We see that the token is leaked in the terminal. Use that
token to reset the password.
Affected Environmentsmotor-admin versions 0.0.1 through 0.2.56
PreventionUpgrade to motor-admin version 0.2.61
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|