Password reset token is reusable

[mathewberry]

For support, please use our forums: http://forums.sentora.org/, you can search for solutions there. Feel free to open a new question if none of the threads solve your problem. Please, do NOT use this issue tracker for support.

For bug reports please provide the following information:

Operating System: Ubuntu

Operating System Version number: 14.04

Sentora Version: 1.0.3

Issue: password reset token is reusable

How to reproduce it: simply click "forgot password" goto your email, click the link and reset your password. Once this is done just test that your password has changed then click the link in the email again and it should let you change the password.

Suggested fix or solution if you have any: delete the token as soon as the password is changed then generate a new token everytime a password reset request is made.

Thank you on the behalf of the Sentora Team.

V 0.0.2

[TGates71]

Hmmm... should be a simple fix. Could be a typo in there somewhere that is not removing the old token. Thanks for the input!

[TGates71]

Tested. The hash is removed after entering new password. Password does not get reset the second time. Need to show invalid hash or other error if not exists and redirect to login screen.

[MBlagui]

We will check so we send a smooth error.

[VedranIteh]

was this issue fixed too ? https://ssd-disclosure.com/archives/3386/ssd-advisory-sentora-zpanel-password-reset-vulnerability

[TGates71]

Resolved in v2 @Dukecitysolutions

[TGates71]

Seems to be resolved in v2.0.0