Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
Description
As an administrator is allowed to change the base url it maybe possible, with some social engineering, to escalate permissions to become a system administrator through the password email reset functionality. Password reset emails (correctly) use the configured base url to construct the password reset link and as an administrator can change it they can point it towards a domain of their choice.
An attack could look something like the following* :
1. An administrator logs in and changes stash's base url from 'http://example.com' to 'http://exampIe.com' (note the capital 'i' instead of an 'l') in the second domain.
2. The admin submits a 'forgot password request' against a system administrator account.
3. The admin waits until a system admin clicks on the password reset link in the 'password reset request' email.
4. At the admin's domain the password reset token is extracted from the system admins http request and is used to change the system administrator's password in stash.
* Assume:
1. stash is running on http://example.com.
2. an evil admin controls the http://exampIe.com domain.