Daylight Studio FuelCMS Password Reset Token Exfiltration Vulnerability

A vulnerability in Daylight Studio FuelCMS version 1.5.2 allows attackers to exfiltrate password reset tokens through a mail splitting attack. This issue arises from the application's use of an outdated version of CodeIgniter 3, which improperly parses multiple email addresses from user-provided data. By sending a password reset request that includes both a victim's email and a malicious one, an attacker can intercept the reset token intended for the victim.

Impact

Exploitation of this vulnerability allows for account takeover by intercepting password reset tokens, which can be used to reset a user's password and gain unauthorized access to their account. If an admin or editor account is compromised, the attacker could modify or delete any content on the website.

Reproduction

To reproduce this vulnerability, an attacker must first identify a valid email address registered with FuelCMS. Once this is known, the attacker can use the 'Forgot Password' feature to send a password reset email to the victim while simultaneously intercepting the reset token by including a malicious email address in the request. This is done by transforming the email POST attribute into an array that contains both the victim's and the attacker's email addresses. After the password reset email is received, the attacker can use the intercepted token to reset the victim's password and gain access to their account.