Headline
CVE-2023-38877: GitHub - gugoan/economizzer: Open Source Personal Finance Manager
A host header injection vulnerability exists in gugoan’s Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users’ passwords.
** Economizzer**
Economizzer is a simple and open source personal finance manager system made in PHP Yii Framework 2.
It is available in the following languages: English, Spanish, Portuguese, Russian, Korean, Hungarian and French.
Learn more the features on the official website: www.economizzer.org
Live Demo
You can try: www.economizzer.org/web
Use the user “joe” and password "123456".
Requirements
The minimum requirement by this application that your Web server supports PHP 5.4.0 and either apache2 or nginx.
Required libraries: libapache2-mod-php, php-mbstring, php-xml, php-curl
Installation
git clone https://github.com/gugoan/economizzer.git
cd economizzer
composer install
Configuration
In folder economizzer/config/db.php set as follows:
return [ ‘class’ => 'yii\db\Connection’, ‘dsn’ => 'mysql:host=127.0.0.1;dbname=economizzer’, ‘username’ => 'USER’, ‘password’ => 'PASSWORD’, ‘charset’ => 'utf8’, ‘enableSchemaCache’ => true, ];
And import the database sql file
economizzer.sql
To test, go to http://yourserver/economizzer/web with user and password below:
Use the user “joe” and password "123456".
Contribution
Please see CONTRIBUTING.
License
Economizzer is Copyright © 2014 Gustavo G. Andrade. It is free software, and may be redistributed under the terms specified in the LICENSE file.
Donations
To encourage the developer with new enhancements, web hosting costs, or even to buy him a good beer, support the project by making a donation.
Thanks to
Related news
A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.