Overview
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over.
Details
Snipe-IT is vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked, leads to an attacker controlled server and thus leading to password reset token leak.
PoC Details
Access the application URL , click on “I forgot my password” and enter the victim's username. Now, intercept the request after clicking the “Email Password Reset” button. In the intercepted request modify the “Host” header value to the attacker's address and forward the request. A password reset email link is sent to the victim with the modified base URL. A victim is redirected to the attacker's site after clicking on the password reset link received via email and reset token is logged at the attacker’s server.
Affected Environments
v3.0-alpha through v5.3.7
Prevention
Upgrade version to v5.3.8 or higher