Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALfBxETd+QLOhPkR=W9EZtvd8w7K15+bWVVDjAmQbG_x=5dqcg@mail.gmail.com>
Date: Thu, 8 Sep 2016 14:58:12 +0200
From: Andreas Lindh <addelindh@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, cve-assign@...re.org
Subject: CVE for Sentry / OpenCFP

Hi list,

I recently reported an issue in the Sentry PHP auth framework that was
exploitable in OpenCFP. The bug itself is in the password reset
functionality, where the following code in Sentry is responsible for
verifying that a supplied password reset code is the same that is stored in
the database for a particular user.

public function checkResetPasswordCode($resetCode)
{
return ($this->reset_password_code == $resetCode);
}

This code will return True or False, depending on whether the password
reset codes match. The problem arises because the Sentry database schema
defines the default value of the password reset code as NULL. Because of
this, if an attacker can pass NULL to this function (by supplying it as a
password reset code), the checkResetPasswordCode() function will return
True, allowing the password change to go through.

This is a write-up of how this was exploitable in OpenCFP:
http://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other

This is the patch in OpenCFP:
https://github.com/opencfp/opencfp/commit/2f747fc219b73f9b0a11308083d2a356056752a4

This is the patch in Sentry:
https://github.com/cartalyst/sentry/commit/c679730b8848686f59125cd821bf94946fb16a94

Can I have CVEs assigned for this please? I am of the opinion that Sentry
and OpenCFP should have their own separate CVEs, but that is of course up
to Mitre to decide.

Cheers,
Andreas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.