FeehiCMS 2.1.1 Host Header Injection

0xAsuka commented 2 years ago

Hello, i found Host Header Injection at FeehiCMS 2.1.1.

Description: A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.

PoC: https://www.youtube.com/watch?v=k8dp0FJnSsI&ab_channel=IkariShinji

liufee commented 2 years ago

@linuxsec This may not lead secruity problems. You can't reset password by click http://eveil.com/index.php?r=site/reset...

0xAsuka commented 2 years ago

hello @liufee , Host Header Injection is indeed security problem. Here is some reference of this attack:

In my PoC, evil.com is not the host that FeehiCMS installed but host controller by the attacker. This is attack scenario that lead security problems:

Feehi CMS installed at feehi.com. Someone with email vicim@feehi.com registered at this site.
Attacker access reset password page at feehi.com/index.php?r=site%2Frequest-password-reset
Attacker using vicim@feehi.com to request reset password link.
Using Burp Suite, attacker change the "Host" header before sending the request to original server. obviously, evil.com is malicious site that controlled by the attacker
Reset password link will sent to vicim@feehi.com, with domain of reset password link already modified by the attacker.
Victim that not aware about this attack, click malicious link sent by attacker using our reset password feature.

This is reference how to fix Host Header Injection at application level: https://vladtoie.gitbook.io/secure-coding/server-side/host-header-injection

liufee commented 2 years ago

Hi, Thanks for your feedback~ The security problem was fixed.

https://github.com/liufee/cms/commit/d45cb9cb26d6f5ef491fa2c7d87ac7f26091bd7c

liufee / cms

FeehiCMS 2.1.1 Host Header Injection #63