Talkyard - Host-Header Injection Leads to Account Takeover

Vulnerability

Talkyard, a comment forum software, is vulnerable to Host Header Injection in versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1, and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular [2]. The vulnerability resides in the forgot password functionality, which fails to validate the Host header, allowing an attacker to manipulate the password reset link [2].

Exploitation

An unauthenticated attacker can exploit this by luring a victim application-user to click on a crafted link that uses a malicious Host header [2]. The link triggers the forgot password flow, and because the server uses the Host header to generate the reset link, the attacker can intercept the reset token and set a new password for the victim's account [2]. No authentication or special network position is required beyond crafting the malicious link and tricking the user into clicking it.

Impact

Successful exploitation allows the attacker to reset the victim's password and gain full control of the affected Talkyard account [2]. This leads to unauthorized access to the user's messages, posts, and administrative functions if the victim has elevated privileges. The impact is considered high as it compromises account integrity and confidentiality.

Mitigation

As of the available references, no specific fix version has been disclosed. The commit referenced in [1] shows a change that disallows access via IP address, which may be part of a broader fix, but it does not directly address the Host Header Injection vulnerability. Users should monitor the Talkyard repository for updates and consider applying input validation on the Host header or using a reverse proxy to strip injected headers as a temporary workaround.