CVE-2022-23079

Overview

In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.

Details

In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.

PoC Details

1. Start a python server in terminal and listen on port 8000
2. Go to http://0.0.0.0:3000/sign_in and login with a valid user
3. Go to http://0.0.0.0:3000/settings/email and configure SMTP
settings. (also ensure to change current email address to valid
one to receive reset link)
4. Logout of the application.
5. Go back to “Sign in”-> “Forgot password” and enter the email
address to reset password.
6. Intercept in burp and click the button. Don’t change anything
and forward all requests.
7. Go back to the “Forgot password” page and enter the same
email address and intercept the request.
8. This time, remove the Origin header and in Host header,
change host to 0.0.0.0:8000 and forward the request.
9. Copy the reset link received in email and paste in chrome.
10. We see that the token is leaked in the terminal. Use that
token to reset the password.

Affected Environments

motor-admin versions 0.0.1 through 0.2.56

Prevention

Upgrade to motor-admin version 0.2.61