It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.
Vulnerability Location: https://wpforo.com/community/?foro= lostpassword
Description/Summary:
It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim
Sensitive information may include password reset tokens, session IDs, or personally identifiable information. If the external domain is not fully trusted, the information may be used to attack the user or the application. Since header information may be stored in many locations within an organization, the opportunity for sensitive information in the URL to be exposed is greatly increased. Headers are also frequently stored in many places including server logs, proxy logs, and threat detection systems.
Steps To Reproduce:
Step 1 - Go To https: https://wpforo.com/community/?foro= lostpassword
Step 2 - Enter Your Email And Click On Reset Password
Step 3 - Go To Email & Click on Password Reset Link
Step 4 - On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
Step 5 - You May Observe Full Password Reset Link Is Exposed To Third Party Sites.
Proof of concept: Are to be attached
Impact:
For Example User A Forgets His Password He Got To Forgot Password Page Reset And Receive Link By Email And Opened The Password Forgot Page Then Eventually User Remembers His Password and click on social media page then the link will be leaked in URL header
It allows the person who has control of particular site to change the user's password (CSRF attack), because this person knows reset password token of the use.
Hi @alexanderhook27,
Thank you for the report. But the user who has opened the password reset form in 99.999% cases don't click the share buttons. Because there is not any mean to share his password reset form. In any case, we're going to remove share buttons on password reset pages.
Hi @martin,
Through Burp Suite I will check the Host as in the screenshot your host is different. If I request a new token either it is reset token or it is another token (which reveal from your main Domain) and put into the checking tool I will check that your host is changed .means your HTTP will be hosted by another source. I will tell you this kind of issue will be showing in your website.So is it from your side that you allowed it to host your website on not. If you do not allow it then it is a bug and you fixed it.
1_Send all sensitive information in the body of a POST request. If sensitive data must be passed in the URL query string, encrypt the data before transport
or
2_Just include the following HTML code in the following in code between <head> tags of the html of the page: <meta name="referrer" content="never" />
This will not send referrer headers to third party websites
If your website will hosted other source . so it will stolen the referral links easily, there is no need to reset password link option required.
If your website will hosted other source
Please leave some example. What does this mean?
And how about the WordPress? WordPress does the same. So this report should be sent to WordPress. wpForo is based on WordPress user registration and email confirmation functions.
this means host of your website is different .as see in screenshot www.googleapis.com will hosted your website. and your referal link will hosted by other source you domain like www.wpforo.com did not host any refereal links..
Through Burp Suite I will check the Host as in your case If I request a new token either it is reset token or it is another token and put into the Burpsuite software and will check the host as my observation your host is changed .means your HTTP will be hosted by another source like www.googleapis.com will host your website.
Please see screenshot .!
thanks regarding
hook
Hi team
please update me regarding Bug?
And please confirm me, is there any reward I have submitted bug?
We'll care about this report in future releases.
This is a free plugin, and we do free support for this plugin, so all contributions you provide here is also free. Se don't have any reward. This community is created to help each others and make this plugin better. The topic is closed.
Thank you!