Drawing-Captcha APP Host Header Injection Vulnerability in Email Confirmation Process

A host header injection vulnerability has been identified in the Drawing-Captcha APP, specifically within the email confirmation process. This issue affects all versions prior to 1.2.5-alpha-patch. The vulnerability arises in the '/register' and '/confirm-email' endpoints, where the application improperly sanitizes the Host header from incoming HTTP requests. This flaw allows attackers to manipulate the Host header, creating malicious email confirmation links that redirect users to attacker-controlled domains. As a result, attackers can intercept email confirmation tokens and verify accounts on behalf of victims, leading to unauthorized account access. Additionally, this vulnerability could be exploited for phishing attacks by directing users to fake login pages that mimic legitimate services.

Impact

Exploitation of this vulnerability allows for host header injection, leading to the creation of malicious email confirmation links. Users who click these links are redirected to attacker-controlled domains, where their email confirmation tokens can be intercepted and used to verify accounts, potentially leading to unauthorized access. Furthermore, this vulnerability could be used in phishing attacks, by directing users to fake login pages on the attacker's domain.

Reproduction

To reproduce this vulnerability, create a new account or request a verification email. Intercept the HTTP POST request to the '/confirm-email' endpoint and modify the Host header to an attacker-controlled domain. Forward the request and check the email for the confirmation link, which will now point to the attacker's domain. Clicking this link will redirect to the attacker's server, where the email confirmation token can be captured and used to verify the victim's account.

Remediation

Users are advised to upgrade to version 1.2.5-alpha-patch or later, where this vulnerability has been fixed. Additionally, as a temporary workaround, a fixed base URL can be hardcoded into the application to construct email confirmation links, bypassing the need to rely on the Host header. Implementing a whitelist of allowed hostnames can also help mitigate the risk by rejecting untrusted Host headers.