Piwigo Password Reset Vulnerability Leading to Account Takeover

A vulnerability in Piwigo version 15.6.0 allows for account takeover through the password reset function. The application sends a password-reset URL by using the hostname from the HTTP request's Host header, which is not validated. This flaw enables an attacker to modify the hostname in the password-reset URL to one of their choosing, potentially leading to the theft of the reset key and unauthorized access to the victim's account.

Impact

Exploitation of this vulnerability allows for one-click account takeover.

Reproduction

To reproduce this vulnerability, first configure SMTP in the Piwigo local configuration file so that emails can be sent and received. Then, an attacker can request a password reset for a known username or email address. By relaying the request through a proxy and changing the Host header to a malicious domain, the attacker can send a spoofed password-reset URL to the victim. If the victim clicks the link, the reset key is leaked to the attacker, who can then use it to take over the account.

Remediation

Users are advised to update to Piwigo version 15.7.0, where this vulnerability has been patched.