Maltem
Security Advisory
|
Title |
Account
takeover through password recovery functionality on Gestsup |
|
Severity |
Critical |
|
Discovered
by |
Marcelo
Ardiles |
|
Advisory
date |
04/25/2021 |
|
CVE |
CVE-2021-31646 |
Affected Products
Gestsup versions from 3.146 to 3.2.9 are vulnerable.
The issue was fixed on version 3.2.10.
description
An attacker
who knows the email addresses of the users of the Gestsup application, could use the password recovery feature
to compromise user accounts.
Password
recovery tokens are not sufficiently unique, the web application uses a PHP "uniqueid" function that does not generate
cryptographically secure values. As a result, an attacker could request the
password recovery of a user and guess the recovery token by performing a brute
force attack.
The brute
force attack is possible because a portion of the "uniqueid" token is guessable (PHP "uniqueid" function uses the system's clock to generate the
tokens), and because tokens do not expire and the application does not implement
any protection, such as captcha challenges or rate
limiting.
The snippet
below shows the vulnerable source code:
File: forgot_pwd.php
Risks
An attacker
could compromise the accounts of the users of the Gestsup application and carry out more advanced attacks with
the information of the customers or the users of the
portal.
Timeline
- 2021-04 Maltem discovers the vulnerability.
- 2021-04 Maltem notifies vendor.
- 2021-04 Vendor fixes the vulnerability.
- 2021-04 Maltem publishes the vulnerability.
References
- https://www.php.net/manual/en/function.uniqid.php