CTFd Host Header Injection Vulnerability Allowing Phishing and Password Reset

A host header injection vulnerability has been identified in CTFd version 3.7.5. This vulnerability arises because the application does not properly validate or sanitize the host header in HTTP requests. As a result, an attacker can manipulate the host header, potentially leading to phishing attacks, unauthorized password resets, or cache poisoning. The vulnerability was confirmed through manual analysis and exploitation in a real-world environment.

Impact

Exploitation of this vulnerability allows for host header injection, which can be used to conduct phishing attacks, manipulate the password reset process, or poison application cache.

Reproduction

To reproduce this vulnerability, send an HTTP request to the CTFd application with a manipulated host header. The request can be made using a tool like Burp Suite. Change the host header to a domain that you control and observe if the request is processed by the application. Once the injection is confirmed, log into a user account and initiate a password reset. Use the same technique to reset the password for an admin account by intercepting the reset link with the injected host header.

Remediation

Users are advised to update to CTFd version 3.7.6, which includes a security configuration improvement. Self-hosted users can download the latest version from the CTFd GitHub repository.