AzuraCast Unauthenticated Password Reset URL Poisoning Vulnerability Leading to Account Takeover

A vulnerability in AzuraCast versions prior to 0.23.6 allows for password reset URL poisoning via the untrusted X-Forwarded-Host header. This flaw enables an unauthenticated attacker to inject a malicious header during the password reset process, directing the victim to a URL that exfiltrates their reset token to the attacker's server. Once the token is captured, the attacker can use it to reset the victim's password and bypass two-factor authentication, resulting in full account takeover.

Impact

Exploitation of this vulnerability allows for complete account takeover of any user, including administrators, without prior authentication. It also bypasses two-factor authentication, as the password reset process automatically deletes 2FA settings. If an admin account is compromised, the attacker gains full control over the AzuraCast instance, including management of all stations, media, and system configurations.

Reproduction

To reproduce this vulnerability, send a POST request to the AzuraCast 'forgot password' endpoint, including an 'X-Forwarded-Host' header with a value controlled by the attacker. The email address of a user with an active account and two-factor authentication enabled must be specified. Once the poisoned password reset link is clicked, the reset token is sent to the attacker's server. The attacker can then capture this token and use it to reset the victim's password, effectively taking over the account.

Remediation

Users should update to AzuraCast version 0.23.6 or later, where this vulnerability has been patched.