Maltem Security Advisory

Title

Account takeover through password recovery functionality on Gestsup

Severity

Critical

Discovered by

Marcelo Ardiles

Advisory date

04/25/2021

CVE

CVE-2021-31646

Affected Products

Gestsup versions from 3.146 to 3.2.9 are vulnerable. The issue was fixed on version 3.2.10.

description

An attacker who knows the email addresses of the users of the Gestsup application, could use the password recovery feature to compromise user accounts.

Password recovery tokens are not sufficiently unique, the web application uses a PHP "uniqueid" function that does not generate cryptographically secure values. As a result, an attacker could request the password recovery of a user and guess the recovery token by performing a brute force attack.

The brute force attack is possible because a portion of the "uniqueid" token is guessable (PHP "uniqueid" function uses the system's clock to generate the tokens), and because tokens do not expire and the application does not implement any protection, such as captcha challenges or rate limiting.

The snippet below shows the vulnerable source code:

File: forgot_pwd.php

Risks

An attacker could compromise the accounts of the users of the Gestsup application and carry out more advanced attacks with the information of the customers or the users of the portal.

Timeline

-        2021-04 Maltem discovers the vulnerability.

-        2021-04 Maltem notifies vendor.

-        2021-04 Vendor fixes the vulnerability.

-        2021-04 Maltem publishes the vulnerability.

References

-        https://gestsup.fr/

-        https://www.php.net/manual/en/function.uniqid.php