Hashview Password Reset Vulnerability Leading to Account Takeover

A vulnerability in Hashview version 0.8.1 and earlier allows for account takeover through the password reset feature. The issue arises because the application does not properly configure the SERVER_NAME, leaving the password reset process reliant on the Host HTTP header. This flaw enables an attacker to manipulate the Host header, directing the password reset link to an attacker-controlled domain. When the victim clicks the link, the reset token is intercepted, allowing full access to the victim's account.

Impact

Exploitation of this vulnerability allows for remote account takeover and unauthorized password resets.

Reproduction

To reproduce this vulnerability, send a password reset request while including a malicious Host header. The application will generate a password reset link that points to the attacker-controlled domain. When the victim clicks this link, the reset token is sent to the attacker, who can then reset the victim's password.

Remediation

To address this vulnerability, explicitly set the SERVER_NAME in the application configuration. Additionally, validate the Host header to prevent tampering and remove the _external=True option if external links are not necessary.