Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#43873] - Password Reset Poisoning Vulnerability leads to account takeover

No Code Attached Yet
avatar cdhexter
cdhexter
2 Aug 2024

This was one of those Bug Bounty emails we received, I don't know how true it is but was advised to post this here.

Title: Date: July 29, 2024
Reported By: Aditya
Vulnerability Type: Password Reset Poisoning
Severity: Critical
Summary:
A vulnerability in the password reset functionality allows an attacker to perform a password reset poisoning attack. This exploit can manipulate the password reset link to direct the victim to a malicious website, potentially leading to account compromise.
Affected Functionality:
Password Reset Process
Impact:
Unauthorized account access
Compromise of sensitive user information

Steps to reproduce the issue

Step1:- Navigate to the password reset page.
Step2:- Enter the email address of the target account.
Step3:- Intercept the Password Reset Link.
Step4:- Use a web proxy tool (e.g., Burp Suite) to intercept the HTTP request containing the password reset link.
Step5:- Modify the Reset Link
Step6:- Modify the URL parameter in the intercepted link to point to an attacker-controlled domain.

Expected result

Original Link: https://www.xxx.co.uk/login?view=reset& ... e70e77d24d

Actual result

Poisoned Link: https://www.yyy.com/login?view=reset&la ... f1013d7280

System information (as much as possible)

Joomla 4.4.4
php 8.1

Additional comments

Mitigation
Validate and Sanitize URL Parameters.
restrict malicious url
Conclusion
The identified password reset poisoning vulnerability poses a significant risk, as it allows attackers to take over user accounts. Immediate remediation is required to prevent potential exploitation and ensure the security of user accounts.
Thank you for your attention to this critical security issue.
Regards

avatar cdhexter cdhexter - open - 2 Aug 2024
avatar cdhexter cdhexter - change - 2 Aug 2024
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 2 Aug 2024
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 2 Aug 2024
avatar brianteeman
brianteeman - comment - 2 Aug 2024

The Joomla team and community take all security bugs in Joomla seriously. The Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.

If you find a possible vulnerability, please report it to the JSST using the online form or via email at security@joomla.org

avatar richard67
richard67 - comment - 2 Aug 2024

@cdhexter Please check https://github.com/joomla/joomla-cms/security/policy on how to report security issues.

avatar Hackwar
Hackwar - comment - 2 Aug 2024

If you are able to intercept the email send for the reset link and then control the traffic of the victim to redirect to somewhere else, you are completely compromised and I don't see how joomla can do anything to protect a compromised user.

avatar SniperSister
SniperSister - comment - 2 Aug 2024

The provided description of the attack doesn't make much sense.

The attack category in question however only works if a site is vulnerable to a Host Header injection attack, which requires a rather unusual hosting setup. If your site is vulnerable to such an attack, setting the live_site configuration.php variable or a different hosting setup is the way to go.

This is not a general issue of the CMS.

I suggest closing the issue.

avatar Fedik Fedik - change - 2 Aug 2024
Status New Closed
Closed_Date 0000-00-00 00:00:00 2024-08-02 10:28:18
Closed_By Fedik
avatar Fedik Fedik - close - 2 Aug 2024

Add a Comment

Login with GitHub to post a comment