Password Reset Poisoning in humhub/humhub


Reported on

Sep 6th 2022


Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakage and thus account takeover if the victim clicks the manipulated password reset link.

Proof of Concept

The Proof-of-Concept requires that the webserver ignores the host header. For instance, this is the case with the default Apache configuration without multiple vhosts.

Steps to reproduce on a local Humhub installation:

1. On the login page, click on `Forgot your password?`
2. Enter the victim's email address and the captcha. Intercept the request in Burp
3. Change the Host Header to `` and forward the request (Screenshot 1)
4. Observe that the password reset link points to the manipulated domain `` (Screenshot 2)

Manipulated Request

Screenshot 1

Manipulated password reset request:

POST /index.php?r=user%2Fpassword-recovery HTTP/1.1


Manipulated Password-Reset Link

Screenshot 2

Password-reset email sent by Humhub:

Password recovery

Hello asd def

Please use the following link wit=
hin the next day to reset your password.
If you don't use this link withi=
n 24 hours, it will expire.

Reset Password:


The victim receives the manipulated password-reset link in an email. If the victim clicks the link, the password reset token is leaked to the attacker. The attacker is thus able to change the password of the victim's account leading to complete account takeover.

We are processing your report and will contact the humhub team within 24 hours. a year ago
We have contacted a member of the humhub team and are waiting to hear back a year ago
Lucas Bartholemy modified the Severity from High (7.1) to Medium (4.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Lucas Bartholemy validated this vulnerability a year ago

Thanks to the report and your work to make HumHub safer.

Usually Web Application Servers are configured so that only e.g. host headers defined in the ServerName reach the application, so this attack will work only in rare cases - so we do not consider the risk as high but ofc as valid.

vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the humhub team. We will try again in 7 days. a year ago
a year ago


For your information, since we consider the problem to be rather minor, it will not be fixed until the next major release.

The PR Fix is available here:

We have sent a second fix follow up to the humhub team. We will try again in 10 days. a year ago
Lucas Bartholemy marked this as fixed in 1.13 with commit 7f9d9f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation