Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-30381

Insecure password reset hash

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.2.3, 2.3.2, 2.5.0, 2.4.2
    • Fix Version/s: 2.4.3, 2.5.1
    • Labels:
      None
    • Sprint:
      [3.0] - Sprint 1

      Description

      My security spiderman senses react to this code in 2.5 (it's the same in older versions, only moved to a new location in 2.5)
      https://github.com/ezsystems/ezplatform-user/blob/v1.0.0/src/bundle/Controller/PasswordResetController.php#L234

      General concerns:

      • MD5 hashes are very weak and should be avoided for security related code.
      • microtime(true) does not necessarily give you microseconds. Default float precision used to be 12, which would give 0.01 sec precision. Now it's 14, which is better, but still not quite microsecond accuracy. 16 would be better. We don't know what precision is used in any installation unless we specifically check it.
      • Logically it seems wrong to use the user email here, since several accounts can have the same email. User login would be the proper thing to use, if anything. It is also not good from an information disclosure point of view.

      Vulnerability
      Depending on PHP configuration and site setup, it may be easy to moderately easy to brute force the password reset hash.

      Possible remedies:

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              gunnstein.lye@ez.no Gunnstein Lye
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day
                1d