Monica Host Header Poisoning Vulnerability Allowing Password Reset Link Manipulation

A host header poisoning vulnerability has been identified in Monica version 4.1.2. This issue arises from improper handling of the HTTP host header, particularly in the 'AppServiceProvider.php' file. The vulnerability is exacerbated by a default misconfiguration where 'app.force_url' is not set, allowing the application to generate absolute URLs based on the user-supplied host header. As a result, remote attackers can poison password reset links, directing tokens to an attacker-controlled domain and facilitating account takeover.

Impact

Exploitation of this vulnerability allows for account takeover by redirecting password reset tokens to an attacker's domain, where they can be captured and used to gain unauthorized access to a victim's account.

Reproduction

To reproduce this vulnerability, initiate a password reset request by entering a victim's email address. Intercept the request and modify the host header to point to an attacker-controlled domain. Once the request is sent, the victim will receive a password reset email containing a link that directs to the attacker's domain, where the reset token can be captured and used to reset the victim's password.

Remediation

Users and administrators should update their '.env' file to set 'APP_URL' to the actual domain and 'APP_FORCE_URL' to true. Developers are advised to implement strict validation of the 'Host' header against a whitelist of allowed domains.