Opened 7 years ago

Closed 7 years ago

#10772 closed (invalid)

Password Reset exposes non-trivial security vulnerability

Reported by: fergusferrier Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: password reset token
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Assuming an attacker obtained:
1) read access to your Users table
2) read access to your file [presumably a good chance of this if they have 1)]

Then they can set the password for any user, because the token that would have been created in password reset can be created knowing settings.SECRET_KEY and the User's data.

        hash = sha_constructor(settings.SECRET_KEY + unicode( +
                               user.password + unicode(user.last_login) +

Thus escalating read-access to certain data, to User-level write access. Or if a superuser account were compromised, full data-object-level write access.

Two alternatives:

1) A randomly-generated key is generated each time password reset requested, and stored in a Model. This only restricts the vulnerability to attackers who have real-time access to the User table, as they can effect the same vulnerability by requesting password reset for the user they wanted to 'become', and reading the key from the database. Though this leaves password reset emails in wake.

2) The only possible better idea I can suggest would be some kind of system where part of the token information was sent with the email [maybe a random string] and part stored in the database [a hash of that random string]. So, even if you could read the database, you would need the information sent with the email to effect password reset. Though if you had access to comprehensive mail logs on the box, same problem.

But maybe this isn't as dire as I'm making it out to be...

Change History (1)

comment:1 Changed 7 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Yeah. If an attacker has read access to your and your users table you've got a lot more to worry about than them changing your users' passwords.

Note: See TracTickets for help on using tickets.
Back to Top