e107 Host Header Injection Vulnerability in Password Reset Functionality

A Host Header Injection vulnerability has been identified in e107 versions prior to 2.3.4. This vulnerability allows attackers to manipulate the Host header on the password reset page, creating links that direct to attacker-controlled domains. Such an exploit could facilitate phishing attacks, account takeovers, or other security issues, as it undermines a critical user authentication function.

Impact

Exploitation of this vulnerability allows for Host Header Injection, which can be used to conduct phishing attacks by sending users manipulated password reset links, gain unauthorized access to accounts through intercepted reset tokens, and bypass security checks that rely on the Host header.

Reproduction

To reproduce this vulnerability, initiate a password reset request on the affected version of e107. Intercept the request using a proxy tool and modify the Host header to point to a malicious domain. Once the request is sent, the application will generate a password reset link using the injected domain, which can then be used to phish for credentials or take over an account.

Remediation

Users can upgrade to e107 version 2.3.4 or later, where this vulnerability has been fixed.