Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Manipulation of Host Header lead to Account Takeover Vulnerability #748
Tbh, vulnerability is pretty simple. On line 33. $_SERVER['HTTP_HOST’] value is directly used without any validation and then on line 34. E-mail send to the targeted account’s email address.
Content of the password reset e-mail is generated by using following string definition.
So that means, $_SERVER['HTTP_HOST’]value is used for URL generation in e-mail template and we can fully control it.
We can spoof $_SERVER['HTTP_HOST’]value during HTTP request to the password reset endpoint.
Actual Host header value İS NOT hacker.com but the URL will be hacker.com in the password reset e-mail. As you can following screenshot, even though the Vesta is being installed on 192.168.74.163 on port 8060, URL placed in the e-mail for account recovery is HACKER.com now. So if the admin user click on that link in the e-mail, HACKER.COM will steal the code value which is enough for resetting password of the admin user.
PS: I should mention that in the real-life use-case you can very similar domain name instead of hacker.com :) Since the e-mail is being sanded from Vesta server, it’s not a kind of phishing attack.
According to technical details of the installation, Vesta installs it’s own Apache, Nginx and bunch of services. That means %90 of the real-life deployment is standalone server. By saying that I mean, there is no different service in front of the Vesta where might be validation on Host field of request header.
This vulnerability could have been mitigated by doing Nginx configuration, which is being used as reverse-proxy in the product, or even can be Apache without touching PHP side. But default Vesta configuration gives your chance to work with Host field.
Ofcourse ! I was particularly interested in finding a 0day on Vesta because of an, hmm, let say assignment :). If I find an anything else in the future, I will definitely send it via e-mail.
Also, may I suggest you guys to use Security feature of GitHub so that all can have this conversation privately next time ?