search

OWASP / phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197 stars 103 forks source link

user::resetPassword() is a DoS waiting to happen #27

Closed vanderaj closed 11 years ago

vanderaj commented 11 years ago

Attackers can use resetPassword in two ways:

a) enumerate valid user account names b) denial of service users by causing their password to be reset

The design of the resetPassword must cope with providing business logic in such a way that account enumeration is not possible.

I strongly suggest that resetPassword does not change the user's password until the temporary token supplied to them is validated.

abiusx commented 11 years ago

Our library sets a temporary password whenever someone requests a password reset, and one can use that password to login, and then they will be forced to change their password. If one does not request that, they simply can ignore it and use their old passwords. Any scenarios on how to abuse this?

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 26, 1392, at 3:38 PM, vanderaj notifications@github.com wrote:

Attackers can use resetPassword in two ways:

a) enumerate valid user account names b) denial of service users by causing their password to be reset

The design of the resetPassword must cope with providing business logic in such a way that account enumeration is not possible.

I strongly suggest that resetPassword does not change the user's password until the temporary token supplied to them is validated.

— Reply to this email directly or view it on GitHub.

rash805115 commented 11 years ago

@vanderaj : I see your point....but here is what I thought at the time. From the developers perspective (and not the end user), we wanted a function that can securely replace the old password with new one. So I made two separate functions....in advanced password mgt you will see one function called "tempPassword"....this functions is used to create and validate temporary password. Now the function you pointed out (resetPassword) is used to reset a password (the only constraint here is that the old password must be validated before it can be replaced with a new one)....

Now from a developers perspective consider this: We do not know how the developer might choose to execute tempPassword....they might want to send a link in email, or they might just set the user password to some temporary password like "12345" and send user a message....so the function tempPassword just generates a tempPassword and returns to the developer...the developer can use this tempPassword however he likes and validate the user...once done....he can just call the resetPassword to reset the user's password...because the developer might choose not to use the overhead of tempPassword and directly use the resetPassword function...... so its a two stage thing...and the developer is allowed to use any of them, or both of them...its their choice...

As for your points (A) and (B), (A) Its up to the developer to handle this thing....they can choose to handle the exception by generation a message "Wrong Username/Password" or something like that...or they can do nothing...its their choice....(I hope this is what you meant by enumerating valid users).

(B) Here the developers are using the library, I am not sure how DOS attacks can happen here....you have to tell me more here....

rash805115 commented 11 years ago

@abiusx : This is not how I made the library...the temorary password validation and the reset passwords, both are different functions...however what you said can be achieved if the developers first use temporary Password and then use resetPassword....and this is how I have intended from the start....

As for your scenario, if password is only reset after tempPassword has been validated, (as you and vanderaj, both said)....then in this scenario, I cannot see a security weakness, because the password is only changed after the validation of tempPassword.

rash805115 commented 11 years ago

@vanderaj @abiusx if you both want, I can create a separate function that uses tempPassword and resetPassword, both at a time,,as you intend...this would be a 2 line function:

function resetPasswordUsingTemp($oldPass, $newPass) { if (AdvancedPassword :: tempPassword() == TRUE) { resetPassword($oldPass, $newPass); } }

rash805115 commented 11 years ago

@vanderaj Please respond.

abiusx commented 11 years ago

ResetTemporaryPassword is a much better name, ResetPasswordUsingTemp?? Basically you want to assign a temporary password (with a timeout) to the user record. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 27, 1392, at 7:40 AM, Rahul Chaudhary notifications@github.com wrote:

@vanderaj @abiusx if you both want, I can create a separate function that uses tempPassword and resetPassword, both at a time,,as you intend...this would be a 2 line function:

function resetPasswordUsingTemp($oldPass, $newPass) { if (AdvancedPassword :: tempPassword() == TRUE) { resetPassword($oldPass, $newPass); } }

— Reply to this email directly or view it on GitHub.

rash805115 commented 11 years ago

Oh...this was just a suggestion. I am not creating such a function. I said I can create it if you guys will feel it's useful.

On Sat, Aug 3, 2013 at 12:58 PM, AbiusX notifications@github.com wrote:

ResetTemporaryPassword is a much better name, ResetPasswordUsingTemp?? Basically you want to assign a temporary password (with a timeout) to the user record. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 27, 1392, at 7:40 AM, Rahul Chaudhary notifications@github.com wrote:

@vanderaj @abiusx if you both want, I can create a separate function that uses tempPassword and resetPassword, both at a time,,as you intend...this would be a 2 line function:

function resetPasswordUsingTemp($oldPass, $newPass) { if (AdvancedPassword :: tempPassword() == TRUE) { resetPassword($oldPass, $newPass); } }

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/OWASP/phpsec/issues/27#issuecomment-22057771 .

Regards, Rahul Chaudhary Ph - 412-519-9634

abiusx commented 11 years ago

The temporary password can serve as the unique token for password reset as well, which is by far the safest approach yet. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 12, 1392, at 9:35 PM, Rahul Chaudhary notifications@github.com wrote:

Oh...this was just a suggestion. I am not creating such a function. I said I can create it if you guys will feel it's useful.

On Sat, Aug 3, 2013 at 12:58 PM, AbiusX notifications@github.com wrote:

ResetTemporaryPassword is a much better name, ResetPasswordUsingTemp?? Basically you want to assign a temporary password (with a timeout) to the user record. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 27, 1392, at 7:40 AM, Rahul Chaudhary notifications@github.com wrote:

@vanderaj @abiusx if you both want, I can create a separate function that uses tempPassword and resetPassword, both at a time,,as you intend...this would be a 2 line function:

function resetPasswordUsingTemp($oldPass, $newPass) { if (AdvancedPassword :: tempPassword() == TRUE) { resetPassword($oldPass, $newPass); } }

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/OWASP/phpsec/issues/27#issuecomment-22057771 .

Regards, Rahul Chaudhary Ph - 412-519-9634 — Reply to this email directly or view it on GitHub.

rash805115 commented 11 years ago

that is what I originally intended..and that is what the function does...I mean what you are talking is automatically the by-product... :)

On Sat, Aug 3, 2013 at 3:57 PM, AbiusX notifications@github.com wrote:

The temporary password can serve as the unique token for password reset as well, which is by far the safest approach yet. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 12, 1392, at 9:35 PM, Rahul Chaudhary notifications@github.com wrote:

Oh...this was just a suggestion. I am not creating such a function. I said I can create it if you guys will feel it's useful.

On Sat, Aug 3, 2013 at 12:58 PM, AbiusX notifications@github.com wrote:

ResetTemporaryPassword is a much better name, ResetPasswordUsingTemp?? Basically you want to assign a temporary password (with a timeout) to the user record. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Tir 27, 1392, at 7:40 AM, Rahul Chaudhary notifications@github.com

wrote:

@vanderaj @abiusx if you both want, I can create a separate function that uses tempPassword and resetPassword, both at a time,,as you intend...this would be a 2 line function:

function resetPasswordUsingTemp($oldPass, $newPass) { if (AdvancedPassword :: tempPassword() == TRUE) { resetPassword($oldPass, $newPass); } }

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHub< https://github.com/OWASP/phpsec/issues/27#issuecomment-22057771> .

Regards, Rahul Chaudhary Ph - 412-519-9634 — Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/OWASP/phpsec/issues/27#issuecomment-22060569 .

Regards, Rahul Chaudhary Ph - 412-519-9634