CraftMyCMS icon indicating copy to clipboard operation
CraftMyCMS copied to clipboard
verified publisher icon kevinguiot

Security Vulnerability Report: Host Header Injection in CraftMyCMS 4.0.2.2

Open bugdotexe opened this issue 3 months ago • 0 comments

Reported by: Nyein Chan Aung(bugdotexe) Affected Version: CraftMyCMS 4.0.2.2
CVE Requested: Yes

Summary

A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses $_SERVER['HTTP_HOST'] directly to construct password reset links sent via email. An attacker can manipulate the Host header to send malicious reset links, enabling phishing attacks or account takeover.

Vulnerable Code

<a href="http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'?email='.$selectMembre['email'].'&key='.$key.'">
  • $_SERVER['HTTP_HOST'] is used directly from the HTTP request header without validation.
  • No whitelist or domain validation is applied.

Impact

  • Attackers can send password reset links pointing to domains under their control.
  • Victims clicking these links may inadvertently expose their account credentials or reset their password on an attacker-controlled domain.
  • Can be combined with phishing or social engineering attacks.

Steps to Reproduce

  1. Open a password reset request form on a CraftMyCMS 4.0.2.2 instance.

  2. Modify the HTTP Host header in your request to an attacker-controlled domain, e.g.:

    Host: attacker.com

  3. Submit the password reset request.

  4. Check the email received by the victim.

  5. Observe that the reset link now points to http://attacker.com/... instead of the legitimate site.

PoC Example

curl -H "Host: attacker.com" \
     -d "pseudo=targetuser&[email protected]" \
     https://victim-site.com/recover-password.php

Recommended Mitigation

  1. Do not trust $_SERVER['HTTP_HOST'].
  2. Hardcode the domain in the reset link:
$domain = 'https://example.com';
$url = $domain.'/reset-password.php?email='.$selectMembre['email'].'&key='.$key;
  1. Alternatively, validate HTTP_HOST against a whitelist of allowed domains.
  2. Always send reset links over HTTPS.

References

Severity: High CVSS (if known): 7.5 (High)

Hey team,let's assign a CVE ID for this vulnerability. Thanks, Nyein Chan Aung [email protected]

bugdotexe avatar Sep 21 '25 17:09 bugdotexe