Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in mineweb/minewebcms
Reported on
Oct 14th 2021
Description
Hello, In the password reset it is possible to perform a Host Header Injection, so the victim will receive an email pointing to a third party site. By clicking, the attacker will be able to retrieve the victim's account reset token and use it to access his account.
From Portswigger : HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.
Proof of Concept
- Perform the password reset request
- Intercept the request with a tool such as burp suite
- Replay the request by changing the host header to an arbitrary value such as
evil.org - The email received will then point to
evil.org
Impact
- By recovering the reset token an attacker can access the victim's account
Hello, i don't understand exactly, the issue is for HTTP only right ? Not HTTPS ?
Hello, What is not clear? :)
No, nothing to do with HTTP or HTTPS, in this case, for my part the URL is HTTP because I installed the application locally to test and I have no SSL certificate.
Regards
Because i don't understand how you can intercept the request with SSL/encrypt request ?
Hi, I think there is a misunderstanding of how the exploit works here.
The S in HTTS is an SSL/TLS overlay that effectively encrypts connections so that an attacker cannot intercept and read them. This scenario is the most frequent in a "man in the middle" attack.
Here the flow that I intercept and modify is the flow that I generate myself. In this case the HTTP request does not need to be decrypted. In the case of an HTTPS encrypted connection, I use BurpSuite with a self-signed Certificate Authority that I add in my browser so I am able to read and modify my own HTTPS requests.
See : https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate
However, here I don't need to read or modify a victim's HTTPS request at all. I can generate a password reset request myself, by entering a victim's email address and then intercepting the request via the described mechanism, I replace the header host with the malicious value.
Regards
If i understand correctly, you can generate password changer link with your own method and send it with the website mail server ? (If my website mail is contact@nivcoo.fr for example, the mail will be sent by this email address ?) And with that you can change the sent link, OK
Before confirm the fix, i want to know if it's the right issue, i've define in DB the website_url to send correct link without http_host exploit
Hi, Yes, it is the content of the message that is modified because it is based on a value controllable by a user.
So yes the mail is sent with the mail server configured on the application and the associated mail address.
I'm not sure I understand the fix you want to put in place.
But if the URL of the application in the mails comes from a base value rather than the Host value of the HTTP request then yes it fixes the problem.
If it's easier for you, you can DM me on Twitter (Je parle français :D)
Regards
I have added new option in configuration : website_url to set website url statically and get it when we have to get current website url