The application's forgot password functionality is vulnerable to Host header injection. This vulnerability allows an attacker to manipulate the Host header in HTTP requests during the password reset process, leading to account takeover.
Steps to reproduce
1- Open reset link https://<.monica address>/forgot-password
2- Enter the victim's email address and click "Email Password Reset Link"
3- Intercept the HTTP request in Burp Suite and replace Host header with your collaborator domain. (This is NOT Man-in-the-middle attack)
Normally you should require the current domain to be manually specified in a configuration file and refer to this value instead of the Host header.
Issue remediation
Validate the Host header
If you must use the Host header, make sure you validate it properly. This should involve checking it against a whitelist of permitted domains and rejecting or redirecting any requests for unrecognized hosts. You should consult the documentation of your framework for guidance on how to do this.
Don't support Host override headers
It is also important to check that you do not support additional headers that may be used to construct these attacks, in particular X-Forwarded-Host. Remember that these may be supported by default.
⚠️ This issue respects the following points: ⚠️
Bug description
The application's forgot password functionality is vulnerable to Host header injection. This vulnerability allows an attacker to manipulate the Host header in HTTP requests during the password reset process, leading to account takeover.
Steps to reproduce
1- Open reset link https://<.monica address>/forgot-password 2- Enter the victim's email address and click "Email Password Reset Link" 3- Intercept the HTTP request in Burp Suite and replace Host header with your collaborator domain. (This is NOT Man-in-the-middle attack)
The request
The response
The password reset email that we send to victim
The DNS and HTTP request received on burp
The HTTP request that we received on burp
Expected behavior
Normally you should require the current domain to be manually specified in a configuration file and refer to this value instead of the Host header.
Issue remediation
Validate the Host header If you must use the Host header, make sure you validate it properly. This should involve checking it against a whitelist of permitted domains and rejecting or redirecting any requests for unrecognized hosts. You should consult the documentation of your framework for guidance on how to do this.
Don't support Host override headers It is also important to check that you do not support additional headers that may be used to construct these attacks, in particular X-Forwarded-Host. Remember that these may be supported by default.
Environment
Your own self-hosted instance (monica v4)
Version of Monica
4 (probably other versions are affected too)
Installation method
Docker image
Web server
Apache
Database engine version
SQlite
Additional info
Platform Info
Apache version: Apache/2.4.57 PHP version: PHP/8.2.14