Password Reset link hijacking via Host Header Poisoning in linkstackorg/linkstack

Valid

Reported on

Sep 17th 2023


Description

LinkStack uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage.

Tested on a default Docker Compose installation of LinkStack (https://github.com/LinkStackOrg/linkstack-docker)

Proof of Concept

Steps to reproduce:

  1. 1 - Open up Firefox and Burp Suite.
  2. 2 - Visit the forgot password page (in my case - http://localhost:8188/forgot-password)
  3. 3 - Enter the victim's email address and click on Email Password Reset Link.
  4. 4 - Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site/server (in my case - Host: o5ue2n4o2z0ulzgonu1xssjtxk3er5fu.oastify.com).
  5. 5 - Forward the request.
  6. 6 - The victim will then receive a password reset e-mail with your poisoned link.
  7. 7 - If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!

Video Proof of Concept

poc-linkstack-pw-reset-link.gif

Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user's password reset link / token to the attacker, leading to full account takeover.

We are processing your report and will contact the linkstackorg/linkstack team within 24 hours. 5 months ago
Evgenii Shein
5 months ago

Researcher


Hello! Any feedback from the @maintainer?

We have contacted a member of the linkstackorg/linkstack team and are waiting to hear back 5 months ago
Evgenii Shein
5 months ago

Researcher


Any updates?

We have sent a follow up to the linkstackorg/linkstack team. We will try again in 4 days. 5 months ago
Julian Prieber
5 months ago

Maintainer


Upstream issue https://github.com/khzg/littlelink-admin See: https://github.com/khzg/littlelink-admin/blob/main/app/Http/Controllers/Auth/PasswordResetLinkController.php

Julian Prieber
5 months ago

Maintainer


I am unfamiliar with this process, I'm not sure how to resolve this. This might take a bit. As far as I know, we are using a public library to perform the reset. I might have to do some digging here.

Evgenii Shein
5 months ago

Researcher


Possible mitigation from the provided references:

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

Is it suitable to the LinkStack?

Julian Prieber
5 months ago

Maintainer


As far as I can tell this does not apply to us.

Julian Prieber
5 months ago

Maintainer


I did some research. We are using a default Laravel method to send the reset email. This is a Laravel issue. This issue is known and there is a default fix for it built into the Framework.

We just have to enable that, and the app will only allow requests from trusted sources: https://github.com/LinkStackOrg/LinkStack/blob/main/app/Http/Kernel.php#L17

See: https://laravel.com/docs/9.x/requests#configuring-trusted-hosts

Julian Prieber validated this vulnerability 5 months ago
sev-hack has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Julian Prieber marked this as fixed in v4.2.9 with commit fe7b99 5 months ago
The fix bounty has been dropped
Evgenii Shein
5 months ago

Researcher


@maintainer Good news!

After you fix and publish information about this vulnerability, is it possible to issue a CVE?

Julian Prieber
5 months ago

Maintainer


From experience, the adaption of security updates might take a few months for certain instances to catch up. But in this case this should probably be fine.

Julian Prieber
5 months ago

Maintainer


Fix can be tested in v4.2.9-beta-2

Evgenii Shein
4 months ago

Researcher


Sorry for late response, now I can confirm that the vulnerability has been fixed

This vulnerability has now been published 4 months ago
to join this conversation