We found results for “”
CVE-2022-23079
Date: June 22, 2022
Overview
In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.Details
In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.PoC Details
1. Start a python server in terminal and listen on port 80002. Go to http://0.0.0.0:3000/sign_in and login with a valid user
3. Go to http://0.0.0.0:3000/settings/email and configure SMTP
settings. (also ensure to change current email address to valid
one to receive reset link)
4. Logout of the application.
5. Go back to “Sign in”-> “Forgot password” and enter the email
address to reset password.
6. Intercept in burp and click the button. Don’t change anything
and forward all requests.
7. Go back to the “Forgot password” page and enter the same
email address and intercept the request.
8. This time, remove the Origin header and in Host header,
change host to 0.0.0.0:8000 and forward the request.
9. Copy the reset link received in email and paste in chrome.
10. We see that the token is leaked in the terminal. Use that
token to reset the password.
Affected Environments
motor-admin versions 0.0.1 through 0.2.56Prevention
Upgrade to motor-admin version 0.2.61Language: Ruby
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |