Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in mineweb/minewebcms

Valid

Reported on

Oct 14th 2021


Description

Hello, In the password reset it is possible to perform a Host Header Injection, so the victim will receive an email pointing to a third party site. By clicking, the attacker will be able to retrieve the victim's account reset token and use it to access his account.

From Portswigger : HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.

Proof of Concept

  1. Perform the password reset request
  2. Intercept the request with a tool such as burp suite
  3. Replay the request by changing the host header to an arbitrary value such as evil.org
  4. The email received will then point to evil.org

Impact

  • By recovering the reset token an attacker can access the victim's account
nivcoo
4 months ago

Hello, i don't understand exactly, the issue is for HTTP only right ? Not HTTPS ?

JoMar
4 months ago

Researcher


Hello, What is not clear? :)

No, nothing to do with HTTP or HTTPS, in this case, for my part the URL is HTTP because I installed the application locally to test and I have no SSL certificate.

Regards

nivcoo
4 months ago

Because i don't understand how you can intercept the request with SSL/encrypt request ?

JoMar
4 months ago

Researcher


Hi, I think there is a misunderstanding of how the exploit works here.

The S in HTTS is an SSL/TLS overlay that effectively encrypts connections so that an attacker cannot intercept and read them. This scenario is the most frequent in a "man in the middle" attack.

Here the flow that I intercept and modify is the flow that I generate myself. In this case the HTTP request does not need to be decrypted. In the case of an HTTPS encrypted connection, I use BurpSuite with a self-signed Certificate Authority that I add in my browser so I am able to read and modify my own HTTPS requests.

See : https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate

However, here I don't need to read or modify a victim's HTTPS request at all. I can generate a password reset request myself, by entering a victim's email address and then intercepting the request via the described mechanism, I replace the header host with the malicious value.

Regards

nivcoo
4 months ago

If i understand correctly, you can generate password changer link with your own method and send it with the website mail server ? (If my website mail is contact@nivcoo.fr for example, the mail will be sent by this email address ?) And with that you can change the sent link, OK

nivcoo
4 months ago

Ok i've the issue, i will try to fix that, thx

nivcoo validated this vulnerability 4 months ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo
4 months ago

Before confirm the fix, i want to know if it's the right issue, i've define in DB the website_url to send correct link without http_host exploit

JoMar
4 months ago

Researcher


Hi, Yes, it is the content of the message that is modified because it is based on a value controllable by a user.

So yes the mail is sent with the mail server configured on the application and the associated mail address.

I'm not sure I understand the fix you want to put in place.

But if the URL of the application in the mails comes from a base value rather than the Host value of the HTTP request then yes it fixes the problem.

If it's easier for you, you can DM me on Twitter (Je parle français :D)

Regards

nivcoo
4 months ago

I have added new option in configuration : website_url to set website url statically and get it when we have to get current website url

nivcoo
4 months ago

So i dont call http_host header to get website url

nivcoo confirmed that a fix has been merged on 9b84b6 3 months ago
nivcoo has been awarded the fix bounty
to join this conversation