{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/nginx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast","nginx","azuracast/azuracast (\u003c= 0.23.5)"],"_cs_severities":["medium"],"_cs_tags":["account takeover","x-forwarded-host","password reset poisoning"],"_cs_type":"advisory","_cs_vendors":["nginx","composer"],"content_html":"\u003cp\u003eAzuraCast versions 0.23.5 and earlier are vulnerable to an account takeover vulnerability stemming from the unconditional trust of the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e HTTP header. An unauthenticated attacker can exploit this by injecting a malicious hostname into the password reset URL sent to a user. This is achieved by sending a crafted request to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header set to a domain controlled by the attacker. The victim, upon clicking the poisoned link in the reset email, inadvertently sends their password reset token to the attacker\u0026rsquo;s server. This allows the attacker to reset the victim\u0026rsquo;s password and disable their two-factor authentication, gaining complete control of the account. This vulnerability exists because the \u003ccode\u003eApplyXForwarded\u003c/code\u003e middleware doesn\u0026rsquo;t validate the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header against a trusted proxy allowlist and the application uses the request host for generating security-critical URLs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header set to a malicious domain (e.g., \u003ccode\u003eevil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AzuraCast application generates a password reset email containing a poisoned URL with the attacker\u0026rsquo;s domain.\u003c/li\u003e\n\u003cli\u003eThe victim receives the password reset email and clicks on the malicious link, sending a GET request to the attacker\u0026rsquo;s domain, inadvertently leaking the password reset token.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the password reset token from the URL path.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured token to access the password reset page on the legitimate AzuraCast instance.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a CSRF token from the reset page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the password reset endpoint on the real AzuraCast instance, including the CSRF token and a new password.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s password is changed, and their 2FA is disabled, granting the attacker full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for full account takeover of any user, including administrators, without prior authentication. The attack also bypasses 2FA, negating its security benefits. If an administrator account is compromised, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings. The attack requires the victim to click a link in a legitimate-looking password reset email, increasing the likelihood of success. This can lead to unauthorized access to sensitive data, disruption of service, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a trusted proxy allowlist in \u003ccode\u003ebackend/src/Middleware/ApplyXForwarded.php\u003c/code\u003e to validate the \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header, as described in the provided fix, to prevent hostname injection (Fix 1).\u003c/li\u003e\n\u003cli\u003eModify \u003ccode\u003eForgotPasswordAction.php\u003c/code\u003e to generate the reset URL using the configured \u003ccode\u003ebase_url\u003c/code\u003e setting rather than the request-derived URL to ensure the correct domain is used in the reset email (Fix 2).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious requests to the \u003ccode\u003e/forgot\u003c/code\u003e endpoint with a non-standard \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e header to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRemove the line \u003ccode\u003e$user-\u0026gt;two_factor_secret = null;\u003c/code\u003e from \u003ccode\u003eLoginTokenAction.php:75\u003c/code\u003e to prevent 2FA from being disabled during password reset, requiring a separate, explicit flow for 2FA recovery (Fix 3).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-account-takeover/","summary":"AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.","title":"AzuraCast Account Takeover via X-Forwarded-Host Poisoning","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Nginx","version":"https://jsonfeed.org/version/1.1"}