CVE-2021-25980

Overview

In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1 and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular, are vulnerable to Host Header Injection. By luring a victim application-user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

Details

The “Talkyard” application is vulnerable to “Host Header Injection”. When an attacker request for forgot password using victim email id, the host header value in the request is modified to attacker’s address. After successful submission of the request, the victim receives an email with password reset link that actually contains the attacker's address as the base URL. When the victim clicks on the link, the password reset token will be sent to the attacker's address and using it the attacker could reset the password of the victim.

PoC Details

As an attacker, access the forgotten password functionality, and enter the victim's email id. Now intercept the request after clicking the “submit” button. In the “/-/reset-password/specify-email” request, modify the “Host” value to the attacker's address and forward the request. A password reset email link is sent to the victim with the modified base URL.
After clicking on the password reset link received via email, the victim is redirected to the attacker's site.
The attacker will receive the password reset token after the victim accesses the link. Using the token, they make a request to the original site to reset the victim's password. Now the attacker can successfully take over the victim’s account.

Affected Environments

Talkyard versions v0.04.01 through v0.6.74; v0.2020.22 through v0.2021.02; tyse-v0.2021.02 through tyse-v0.2021.28

Prevention

Update to Talkyard version "tyse-v0.2021.29-8cb7f73fe-regular"