Vulnerability Repor...
 
Notifications
Clear all

wpForo 1.x.x [Closed] Vulnerability Report : [Cross Domain Referer Leakage] Password Reset Token Leaking to Third party Sites.

8 Posts
3 Users
1 Likes
927 Views
alexanderhook27
Posts: 5
Topic starter
(@alexanderhook27)
Active Member
Joined: 2 years ago

It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.

Vulnerability Location: https://wpforo.com/community/?foro= lostpassword

Description/Summary:

It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim

Sensitive information may include password reset tokens, session IDs, or personally identifiable information. If the external domain is not fully trusted, the information may be used to attack the user or the application. Since header information may be stored in many locations within an organization, the opportunity for sensitive information in the URL to be exposed is greatly increased. Headers are also frequently stored in many places including server logs, proxy logs, and threat detection systems.

Steps To Reproduce:

Step 1 - Go To https: https://wpforo.com/community/?foro= lostpassword
Step 2 - Enter Your Email And Click On Reset Password
Step 3 - Go To Email & Click on Password Reset Link
Step 4 - On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
Step 5 - You May Observe Full Password Reset Link Is Exposed To Third Party Sites.

Proof of concept: Are to be attached

Impact:

For Example User A Forgets His Password He Got To Forgot Password Page Reset And Receive Link By Email And Opened The Password Forgot Page Then Eventually User Remembers His Password and click on social media page then the link will be leaked in URL header
It allows the person who has control of particular site to change the user's password (CSRF attack), because this person knows reset password token of the use.

 

7 Replies
Martin
Posts: 867
Moderator
(@martin)
Support Team
Joined: 6 years ago

Hi @alexanderhook27,

Thank you for the report. But the user who has opened the password reset form in 99.999% cases don't click the share buttons. Because there is not any mean to share his password reset form. In any case, we're going to remove share buttons on password reset pages.

4 Replies
alexanderhook27
(@alexanderhook27)
Joined: 2 years ago

Active Member
Posts: 5

Hi @martin,

Through Burp Suite I will check the Host as in the screenshot your host is different. If I request a new token either it is reset token or it is another token (which reveal from your main Domain) and put into the checking tool I will check that your host is changed .means your HTTP will be hosted by another source. I will tell you this kind of issue will be showing in your website.So is it from your side that you allowed it to host your website on not. If you do not allow it then it is a bug and you fixed it.

 
Solution :

1_Send all sensitive information in the body of a POST request. If sensitive data must be passed in the URL query string, encrypt the data before transport

or

2_Just include the following HTML code in the following in code between <head> tags of the html of the page: <meta name="referrer" content="never" />
This will not send referrer headers to third party websites

alexanderhook27
(@alexanderhook27)
Joined: 2 years ago

Active Member
Posts: 5

@martin

If your website will hosted other source . so it will stolen the referral links easily, there is no need to  reset password link option required. 

Robert
Admin
(@robert)
Joined: 7 years ago

Support Team
Posts: 9739
Posted by: @alexanderhook27

If your website will hosted other source

Please leave some example. What does this mean?

 

And how about the WordPress? WordPress does the same. So this report should be sent to WordPress. wpForo is based on WordPress user registration and email confirmation functions.

 

alexanderhook27
(@alexanderhook27)
Joined: 2 years ago

Active Member
Posts: 5

@robert

this means host of your website  is different .as see in screenshot  www.googleapis.com will hosted your website. and your referal link will hosted by other source  you domain like www.wpforo.com did not host any refereal links..  

Through Burp Suite I will check the Host as in your case If I request a new token either it is reset token or it is another token and put into the Burpsuite software  and will check the host  as my observation your host is changed .means your HTTP will be hosted by another source like www.googleapis.com will host your  website.

 

Please see screenshot .!

thanks regarding

hook

alexanderhook27
Posts: 5
Topic starter
(@alexanderhook27)
Active Member
Joined: 2 years ago

Hi team

please update me regarding Bug?

And please confirm me,  is there any reward I have submitted bug?

1 Reply
Robert
Admin
(@robert)
Joined: 7 years ago

Support Team
Posts: 9739

@alexanderhook27,

We'll care about this report in future releases.

This is a free plugin, and we do free support for this plugin, so all contributions you provide here is also free. Se don't have any reward. This community is created to help each others and make this plugin better. The topic is closed.

Thank you!

Share: