fblog Host Header Injection Vulnerability Leading to Account Takeover

A host header injection vulnerability has been identified in fblog, specifically in versions through commit 983bede. The issue arises because the Flask application does not have a configured SERVER_NAME, allowing the password reset feature to rely on the untrusted Host HTTP header. This vulnerability enables an attacker to hijack the password reset process and take over user accounts by forging the Host header to point to a domain under their control.

Impact

Exploitation of this vulnerability allows for remote account takeover.

Reproduction

To reproduce this vulnerability, send a request to the application with a malicious Host header that directs to a domain controlled by the attacker. The application will generate a password reset link pointing to the attacker's domain. When the victim clicks the link, the reset token is exposed to the attacker.

Remediation

To address this vulnerability, explicitly set the SERVER_NAME in the Flask application. Additionally, validate or sanitize the Host header and remove the _external=True parameter from the url_for function if it is not necessary.