Masa CMS Host Header Poisoning Vulnerability Allowing Account Takeover

A host header poisoning vulnerability has been identified in Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6. This vulnerability allows for account takeover through the password reset email process. When a password reset is requested, the application uses the HOST header to generate the reset link. By manipulating this header, an attacker can redirect the link to a server they control, potentially leading to unauthorized access to the victim's account. This issue is particularly concerning for admin accounts, as it could result in complete server or database control, especially if certain features are enabled.

Impact

Exploitation of this vulnerability can lead to unauthorized account access, with elevated risks for admin accounts, including potential server or database control.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/?muraAction=cLogin.main' with a modified HOST header. Alternatively, use Burp Suite to intercept a password reset request for an admin user and change the HOST header to a server you control. If the reset email contains the modified HOST value, the vulnerability is confirmed.

Remediation

Users can update to Masa CMS versions 7.2.8, 7.3.13, or 7.4.6, where this vulnerability has been fixed.