View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006394||OXID eShop (all versions)||4.04. Security||public||2016-05-15 22:57||2022-02-09 10:19|
|Target Version||Fixed in Version||6.4.1|
|Summary||0006394: Password Reset Link is created with weak token|
|Description||it is possible to send password resetlink and precalculate the url to reset the password without that email. So Attacker is able to set new password and login with every account.|
|Steps To Reproduce||given an known email address of an user|
- go to lost password page
- enter the email address
- the victim will receive a email with a weak password reset link
|Additional Information||DO NOT USE "generateUId" for tokens! |
the password forgot token is generated indirectly by uniqid, which is known to be not secure.
check warning in
Additionally it seams that the seed of that random generator is not set on fork, and that means it will produce the same random numbers for parallel requests (because php might be forked (e.g. mod_php with apache prefork).
From code in oxutilsobject i see microtime is appended to uniqid, as uniqid already includes the microtime i guess this is a workaround for already known id collision (caused by the same seed). But using microtime again does not make the entropy better because the second timestamp is highly depended on the frist one.
The weak randomnumber/timestamp then is secured by two times by md5 which makes the attack very difficult but not impossible. Always use strong hash algorithm/mixer to protect random numbers.
May take some weeks to prove that it is possible but improvement is available in a project feel free to contact me.
Additional security protections missing:
- User should be able to use 2 factor authentication (best is a combination of a secrete (e.g. password) and a not copyable thing e.g. (smartcard))
- Password forget function should ask for some information only known by the account owner
- User should be informed after password reset
- captcha should be used for password reset
|Tags||No tags attached.|
|PHP Version||Not defined|
|Database Version||Not defined|