CVE-2021-25994

Overview

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

Details

Userfrosting is vulnerable to Host Header Injection. When an attacker requests for a forgotten password using the victim email id, the host header value in the request is modified to the attacker's address. After successful submission of the request, the victim receives an email with a password reset link that actually contains the attacker's address as the base URL. When the victim clicks on the link, the password reset token will be sent to the attacker's address and using it the attacker could reset the password of the victim and take over the account.

PoC Details

Start a python server on port 8000.
Go to the `/account/forgot-password` endpoint and enter the victim’s email address for reset.
Intercept the request with a proxy, and change the `Host` value to the attacker domain port 8000, where the python server is listening. Now forward the request.
As the victim, check the email and open the reset link received.
The server will now log the request made by the victim that was meant to be sent to the vulnerable site. The request is for the `set-password` endpoint, with the reset token included.
As an attacker, go to the endpoint requested by the victim, and change the password to a new one.
You are now logged in as the victim.

Affected Environments

v0.3.1 through v4.6.2

Prevention

Update to Userfrosting v4.6.3