#1 WordPress forum plugin created by gVectors Team

wpForo – WordPress Forum Plugin
  • Home
  • Forum
  • Migrate to wpForo
  • Addons
  • Documentation

Forum

Home | Forum

wpDiscuz - WordPress Comment Plugin
  • Forums
  • Members
  • Recent Posts
Forums
Main Support Forums
Bug Reports
Vulnerability Repor...
 
Share:
Notifications
Clear all

[Closed] Vulnerability Report : [Cross Domain Referer Leakage] Password Reset Token Leaking to Third party Sites.  

    Last Post
RSS

alexanderhook27
Posts: 5
 alexanderhook27
Topic starter
November 29, 2020 3:21 pm
(@alexanderhook27)
Active Member
Joined: 2 months ago

It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim.

Vulnerability Location: https://wpforo.com/community/?foro= lostpassword

Description/Summary:

It has been identified that the application is leaking referrers to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is an issue knowing the fact that it can allow any malicious users to use the token and reset the passwords of the victim

Sensitive information may include password reset tokens, session IDs, or personally identifiable information. If the external domain is not fully trusted, the information may be used to attack the user or the application. Since header information may be stored in many locations within an organization, the opportunity for sensitive information in the URL to be exposed is greatly increased. Headers are also frequently stored in many places including server logs, proxy logs, and threat detection systems.

Steps To Reproduce:

Step 1 - Go To https: https://wpforo.com/community/?foro= lostpassword
Step 2 - Enter Your Email And Click On Reset Password
Step 3 - Go To Email & Click on Password Reset Link
Step 4 - On Password Reset Page Click On Social Media Links Given Below And Capture The Request Using Burp Suite
Step 5 - You May Observe Full Password Reset Link Is Exposed To Third Party Sites.

Proof of concept: Are to be attached

Impact:

For Example User A Forgets His Password He Got To Forgot Password Page Reset And Receive Link By Email And Opened The Password Forgot Page Then Eventually User Remembers His Password and click on social media page then the link will be leaked in URL header
It allows the person who has control of particular site to change the user's password (CSRF attack), because this person knows reset password token of the use.

 

 wpForo-1.png
7 Replies
Martin
Posts: 688
Martin - Facebook Martin - Twitter
 Martin
Moderator
November 30, 2020 6:24 am
(@martin)
Support Team
Joined: 5 years ago

Hi @alexanderhook27,

Thank you for the report. But the user who has opened the password reset form in 99.999% cases don't click the share buttons. Because there is not any mean to share his password reset form. In any case, we're going to remove share buttons on password reset pages.

Powered by gVectors Team. our popular plugins:
wpForo, wpDiscuz

4 Replies
alexanderhook27
 alexanderhook27
(@alexanderhook27)
Joined: 2 months ago

Active Member
Posts: 5
November 30, 2020 8:16 am
Reply toMartinMartin

Hi @martin,

Through Burp Suite I will check the Host as in the screenshot your host is different. If I request a new token either it is reset token or it is another token (which reveal from your main Domain) and put into the checking tool I will check that your host is changed .means your HTTP will be hosted by another source. I will tell you this kind of issue will be showing in your website.So is it from your side that you allowed it to host your website on not. If you do not allow it then it is a bug and you fixed it.

 
Solution :

1_Send all sensitive information in the body of a POST request. If sensitive data must be passed in the URL query string, encrypt the data before transport

or

2_Just include the following HTML code in the following in code between <head> tags of the html of the page: <meta name="referrer" content="never" />
This will not send referrer headers to third party websites

alexanderhook27
 alexanderhook27
(@alexanderhook27)
Joined: 2 months ago

Active Member
Posts: 5
November 30, 2020 8:28 am
Reply toMartinMartin

@martin

If your website will hosted other source . so it will stolen the referral links easily, there is no need to  reset password link option required. 

Robert
 Robert
Admin
(@robert)
Joined: 5 years ago

Support Team
Posts: 7543
December 1, 2020 6:26 am
Reply toalexanderhook27alexanderhook27
Martin
Posted by: @alexanderhook27

If your website will hosted other source

Please leave some example. What does this mean?

 

And how about the WordPress? WordPress does the same. So this report should be sent to WordPress. wpForo is based on WordPress user registration and email confirmation functions.

 

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

caliptogarcia liked
alexanderhook27
 alexanderhook27
(@alexanderhook27)
Joined: 2 months ago

Active Member
Posts: 5
December 1, 2020 7:03 pm
Reply toRobertRobert
alexanderhook27
Martin

@robert

this means host of your website  is different .as see in screenshot  www.googleapis.com will hosted your website. and your referal link will hosted by other source  you domain like www.wpforo.com did not host any refereal links..  

Through Burp Suite I will check the Host as in your case If I request a new token either it is reset token or it is another token and put into the Burpsuite software  and will check the host  as my observation your host is changed .means your HTTP will be hosted by another source like www.googleapis.com will host your  website.

 

Please see screenshot .!

thanks regarding

hook

alexanderhook27
Posts: 5
 alexanderhook27
Topic starter
December 2, 2020 6:43 pm
(@alexanderhook27)
Active Member
Joined: 2 months ago

Hi team

please update me regarding Bug?

And please confirm me,  is there any reward I have submitted bug?

1 Reply
Robert
 Robert
Admin
(@robert)
Joined: 5 years ago

Support Team
Posts: 7543
December 3, 2020 9:29 am
Reply toalexanderhook27alexanderhook27

@alexanderhook27,

We'll care about this report in future releases.

This is a free plugin, and we do free support for this plugin, so all contributions you provide here is also free. Se don't have any reward. This community is created to help each others and make this plugin better. The topic is closed.

Thank you!

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

  All forum topics
  Previous Topic
Next Topic  

Forum Search

Join Us!

Download wpForo plugin
on WordPress.org

wpForo Addons

wpforo-private-messages  wpforo-advanced-attachments-128x128  wpforo-embeds-128x128 wpForo User Custom Fields addon  wpForo – Blog Cross Posting addon  wpForo Ads Manager
View all Addons »

Recent Topics

  • Help please

    By Creationweb, 3 hours ago

  • Settings for attachements cannot be saved

    By Jheronimus, 3 hours ago

  • Reply button problem

    By xfok, 3 hours ago

  • Advanced search including date fields as the default home page

    By Arik, 7 hours ago

  • Adding members, recent posts and my profile to the forum menu

    By Xaleah, 19 hours ago

  • How to change class of link in button??

    By civilenggnotes, 19 hours ago

Topic Tags

  • new features43
  • seo39
  • translation36
  • plugin conflict35
  • forum32
  • buddypress31
  • login31
  • threaded layout30
  • registration29
  • ultimate member28
  • moderation27
  • editor25
  • avatar24
  • shortcode23
  • css23
  • tags21
  • migration20
  • url20
  • menu20
  • colors19
View all tags (1465)

Recent Posts

  • RE: PHP error, need help

    You should check to make sure all folders have 755 perm...

    By Percysgrowroom, 7 mins ago

  • RE: slow queries

    This is the official post about caching: I'm not f...

    By dimalifragis, 56 mins ago

  • RE: Why wpForo using two Font Awesome files?

    @adisaputro, I'm sorry but it's not possible, they a...

    By Robert, 1 hour ago

  • RE: Help please

    @Martin Thank you for your prompt response, I attach ne...

    By Creationweb, 1 hour ago

  • RE: Settings for attachements cannot be saved

    Thank you so much, that worked! Sorry, newbie here!

    By Jheronimus, 2 hours ago

  • RE: Reply button problem

    Hi @xfok, Could you please show me on a screenshot wh...

    By Martin, 3 hours ago

  • RE: Advanced File Attachments

    @bujkilla, You should use the forum icon in "Forum Ic...

    By Sofy, 5 hours ago

Share:
  Forum Statistics
20 Forums
7,752 Topics
38.9 K Posts
4 Online
14.8 K Members

Latest Post: PHP error, need help Our newest member: marquis2502 Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

Powered by wpForo | Copyright © 2016-2021 gVectors Team
Copyright Registration Service - Click here for more information or to register work
wpForo is Registered with the IP Rights Office
Copyright Registration Service

Ref: 4477265538
  • Home
  • Forum
  • Migrate to wpForo
  • Addons
  • Documentation