Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Sep 2016 14:58:12 +0200
From: Andreas Lindh <addelindh@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, cve-assign@...re.org
Subject: CVE for Sentry / OpenCFP

Hi list,

I recently reported an issue in the Sentry PHP auth framework that was
exploitable in OpenCFP. The bug itself is in the password reset
functionality, where the following code in Sentry is responsible for
verifying that a supplied password reset code is the same that is stored in
the database for a particular user.

public function checkResetPasswordCode($resetCode)
{
return ($this->reset_password_code == $resetCode);
}

This code will return True or False, depending on whether the password
reset codes match. The problem arises because the Sentry database schema
defines the default value of the password reset code as NULL. Because of
this, if an attacker can pass NULL to this function (by supplying it as a
password reset code), the checkResetPasswordCode() function will return
True, allowing the password change to go through.

This is a write-up of how this was exploitable in OpenCFP:
http://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other

This is the patch in OpenCFP:
https://github.com/opencfp/opencfp/commit/2f747fc219b73f9b0a11308083d2a356056752a4

This is the patch in Sentry:
https://github.com/cartalyst/sentry/commit/c679730b8848686f59125cd821bf94946fb16a94

Can I have CVEs assigned for this please? I am of the opinion that Sentry
and OpenCFP should have their own separate CVEs, but that is of course up
to Mitre to decide.

Cheers,
Andreas

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.