blob: bac2ecd1daa791c114fafa44188d4b28b01dfffe (
plain)
1
2
3
4
5
6
7
|
## Exploit
The `"mail"` field of the **Recover Password** page can be inspected and edited and anyone. Open `http://10.0.2.15/?page=recover` with Firefox and change the value of the `<input name="mail" …>` element before submitting the request. Alternatively, one may also use a script like the one provided in `reset.bash`.
## Fix
The problem here is that the server is trusting a client-supplied address instead of looking it up server-side. The client should supply a username/account identifier and the server must match it against its email in the database.
|
