Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FeehiCMS 2.1.1 Host Header Injection #63

Closed
0xAsuka opened this issue Aug 29, 2022 · 3 comments
Closed

FeehiCMS 2.1.1 Host Header Injection #63

0xAsuka opened this issue Aug 29, 2022 · 3 comments

Comments

@0xAsuka
Copy link

0xAsuka commented Aug 29, 2022

Hello, i found Host Header Injection at FeehiCMS 2.1.1.

Description:
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.

PoC:
https://www.youtube.com/watch?v=k8dp0FJnSsI&ab_channel=IkariShinji

@liufee
Copy link
Owner

liufee commented Aug 29, 2022

@linuxsec
This may not lead secruity problems. You can't reset password by click http://eveil.com/index.php?r=site/reset...

@0xAsuka
Copy link
Author

0xAsuka commented Aug 29, 2022

hello @liufee , Host Header Injection is indeed security problem. Here is some reference of this attack:

  1. https://portswigger.net/web-security/host-header
  2. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
  3. https://crashtest-security.com/invalid-host-header/
  4. https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/http-header-injection/

In my PoC, evil.com is not the host that FeehiCMS installed but host controller by the attacker. This is attack scenario that lead security problems:

  1. Feehi CMS installed at feehi.com. Someone with email vicim@feehi.com registered at this site.
  2. Attacker access reset password page at feehi.com/index.php?r=site%2Frequest-password-reset
  3. Attacker using vicim@feehi.com to request reset password link.
  4. Using Burp Suite, attacker change the "Host" header before sending the request to original server. obviously, evil.com is malicious site that controlled by the attacker
  5. Reset password link will sent to vicim@feehi.com, with domain of reset password link already modified by the attacker.
  6. Victim that not aware about this attack, click malicious link sent by attacker using our reset password feature.

This is reference how to fix Host Header Injection at application level:
https://vladtoie.gitbook.io/secure-coding/server-side/host-header-injection

@liufee
Copy link
Owner

liufee commented Aug 29, 2022

Hi,
Thanks for your feedback~
The security problem was fixed.

d45cb9c

@liufee liufee closed this as completed Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants