Aggie Password Reset Host Header Injection Vulnerability

A host header injection vulnerability has been identified in Aggie version 2.6.1, specifically within the password reset feature. This vulnerability arises because the application generates absolute password reset URLs by using the untrusted 'Host' header without proper validation. As a result, attackers can inject malicious domains into the reset emails, potentially leading to phishing attacks, theft of password reset tokens, and unauthorized access to user accounts.

Impact

Exploitation of this vulnerability allows for phishing attacks through the use of deceptive password reset links, theft of password reset tokens, and complete takeover of user accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the '/auth/forgot' endpoint with an injected 'Host' header. Include the 'email' parameter in the request body, targeting a user account on the affected Aggie instance.