Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in mineweb/minewebcms
Oct 14th 2021
Hello, In the password reset it is possible to perform a Host Header Injection, so the victim will receive an email pointing to a third party site. By clicking, the attacker will be able to retrieve the victim's account reset token and use it to access his account.
From Portswigger : HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.
Proof of Concept
- Perform the password reset request
- Intercept the request with a tool such as burp suite
- Replay the request by changing the host header to an arbitrary value such as
- The email received will then point to
- By recovering the reset token an attacker can access the victim's account