Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Sep 2016 14:58:12 +0200
From: Andreas Lindh <>
To: "" <>,
Subject: CVE for Sentry / OpenCFP

Hi list,

I recently reported an issue in the Sentry PHP auth framework that was
exploitable in OpenCFP. The bug itself is in the password reset
functionality, where the following code in Sentry is responsible for
verifying that a supplied password reset code is the same that is stored in
the database for a particular user.

public function checkResetPasswordCode($resetCode)
return ($this->reset_password_code == $resetCode);

This code will return True or False, depending on whether the password
reset codes match. The problem arises because the Sentry database schema
defines the default value of the password reset code as NULL. Because of
this, if an attacker can pass NULL to this function (by supplying it as a
password reset code), the checkResetPasswordCode() function will return
True, allowing the password change to go through.

This is a write-up of how this was exploitable in OpenCFP:

This is the patch in OpenCFP:

This is the patch in Sentry:

Can I have CVEs assigned for this please? I am of the opinion that Sentry
and OpenCFP should have their own separate CVEs, but that is of course up
to Mitre to decide.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.