[Closed] Vulnerability Report : [Cross Domain Referer Leakage] Password Reset Token Leaking to Third party Sites.
It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.
It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim
Sensitive information may include password reset tokens, session IDs, or personally identifiable information. If the external domain is not fully trusted, the information may be used to attack the user or the application. Since header information may be stored in many locations within an organization, the opportunity for sensitive information in the URL to be exposed is greatly increased. Headers are also frequently stored in many places including server logs, proxy logs, and threat detection systems.
Steps To Reproduce:
Step 1 - Go To https: https://wpforo.com/community/?foro= lostpassword
Step 2 - Enter Your Email And Click On Reset Password
Step 3 - Go To Email & Click on Password Reset Link
Step 4 - On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
Step 5 - You May Observe Full Password Reset Link Is Exposed To Third Party Sites.
Proof of concept: Are to be attached
For Example User A Forgets His Password He Got To Forgot Password Page Reset And Receive Link By Email And Opened The Password Forgot Page Then Eventually User Remembers His Password and click on social media page then the link will be leaked in URL header
It allows the person who has control of particular site to change the user's password (CSRF attack), because this person knows reset password token of the use.
Thank you for the report. But the user who has opened the password reset form in 99.999% cases don't click the share buttons. Because there is not any mean to share his password reset form. In any case, we're going to remove share buttons on password reset pages.
please update me regarding Bug?
And please confirm me, is there any reward I have submitted bug?