Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in mineweb/minewebcms

Valid

Reported on

Oct 14th 2021


Description

Hello, In the password reset it is possible to perform a Host Header Injection, so the victim will receive an email pointing to a third party site. By clicking, the attacker will be able to retrieve the victim's account reset token and use it to access his account.

From Portswigger : HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.

Proof of Concept

  1. Perform the password reset request
  2. Intercept the request with a tool such as burp suite
  3. Replay the request by changing the host header to an arbitrary value such as evil.org
  4. The email received will then point to evil.org

Impact

  • By recovering the reset token an attacker can access the victim's account
nivcoo
2 years ago

Maintainer


Hello, i don't understand exactly, the issue is for HTTP only right ? Not HTTPS ?

JoMar
2 years ago

Researcher


Hello, What is not clear? :)

No, nothing to do with HTTP or HTTPS, in this case, for my part the URL is HTTP because I installed the application locally to test and I have no SSL certificate.

Regards

nivcoo
2 years ago

Maintainer


Because i don't understand how you can intercept the request with SSL/encrypt request ?

JoMar
2 years ago

Researcher


Hi, I think there is a misunderstanding of how the exploit works here.

The S in HTTS is an SSL/TLS overlay that effectively encrypts connections so that an attacker cannot intercept and read them. This scenario is the most frequent in a "man in the middle" attack.

Here the flow that I intercept and modify is the flow that I generate myself. In this case the HTTP request does not need to be decrypted. In the case of an HTTPS encrypted connection, I use BurpSuite with a self-signed Certificate Authority that I add in my browser so I am able to read and modify my own HTTPS requests.

See : https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate

However, here I don't need to read or modify a victim's HTTPS request at all. I can generate a password reset request myself, by entering a victim's email address and then intercepting the request via the described mechanism, I replace the header host with the malicious value.

Regards

nivcoo
2 years ago

Maintainer


If i understand correctly, you can generate password changer link with your own method and send it with the website mail server ? (If my website mail is contact@nivcoo.fr for example, the mail will be sent by this email address ?) And with that you can change the sent link, OK

nivcoo
2 years ago

Maintainer


Ok i've the issue, i will try to fix that, thx

nivcoo validated this vulnerability 2 years ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo
2 years ago

Maintainer


Before confirm the fix, i want to know if it's the right issue, i've define in DB the website_url to send correct link without http_host exploit

JoMar
2 years ago

Researcher


Hi, Yes, it is the content of the message that is modified because it is based on a value controllable by a user.

So yes the mail is sent with the mail server configured on the application and the associated mail address.

I'm not sure I understand the fix you want to put in place.

But if the URL of the application in the mails comes from a base value rather than the Host value of the HTTP request then yes it fixes the problem.

If it's easier for you, you can DM me on Twitter (Je parle français :D)

Regards

nivcoo
2 years ago

Maintainer


I have added new option in configuration : website_url to set website url statically and get it when we have to get current website url

nivcoo
2 years ago

Maintainer


So i dont call http_host header to get website url

nivcoo marked this as fixed in next with commit 9b84b6 2 years ago
nivcoo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation