View Issue Details

IDProjectCategoryView StatusLast Update
0006394OXID eShop (all versions)4.04. Securitypublic2022-02-09 10:19
Reporterkeywan.ghadami Assigned To 
PriorityhighSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version6.4.1 
Summary0006394: Password Reset Link is created with weak token
Descriptionit is possible to send password resetlink and precalculate the url to reset the password without that email. So Attacker is able to set new password and login with every account.
Steps To Reproducegiven an known email address of an user

- go to lost password page
http://demoshop.oxid-esales.com/professional-edition/passwort-vergessen/
- enter the email address
- the victim will receive a email with a weak password reset link
Additional InformationDO NOT USE "generateUId" for tokens!

the password forgot token is generated indirectly by uniqid, which is known to be not secure.
check warning in
http://php.net/manual/de/function.uniqid.php

Additionally it seams that the seed of that random generator is not set on fork, and that means it will produce the same random numbers for parallel requests (because php might be forked (e.g. mod_php with apache prefork).

From code in oxutilsobject i see microtime is appended to uniqid, as uniqid already includes the microtime i guess this is a workaround for already known id collision (caused by the same seed). But using microtime again does not make the entropy better because the second timestamp is highly depended on the frist one.

The weak randomnumber/timestamp then is secured by two times by md5 which makes the attack very difficult but not impossible. Always use strong hash algorithm/mixer to protect random numbers.

May take some weeks to prove that it is possible but improvement is available in a project feel free to contact me.

Additional security protections missing:
- User should be able to use 2 factor authentication (best is a combination of a secrete (e.g. password) and a not copyable thing e.g. (smartcard))
- Password forget function should ask for some information only known by the account owner
- User should be informed after password reset
- captcha should be used for password reset

TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined

Activities

There are no notes attached to this issue.