id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10772	Password Reset exposes non-trivial security vulnerability	fergusferrier	nobody	"Assuming an attacker obtained:[[BR]]
1) read access to your Users table[[BR]]
2) read access to your settings.py file [presumably a good chance of this if they have 1)]

Then they can set the password for any user, because the token that would have been created in password reset can be created knowing settings.SECRET_KEY and the User's data. 

{{{
        hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) +
                               user.password + unicode(user.last_login) +
                               unicode(timestamp)).hexdigest()[::2]
}}}

Thus escalating read-access to certain data, to User-level write access. Or if a superuser account were compromised, full data-object-level write access. 

Two alternatives:

1) A randomly-generated key is generated each time password reset requested, and stored in a Model. This only restricts the vulnerability to attackers who have real-time access to the User table, as they can effect the same vulnerability by requesting password reset for the user they wanted to 'become', and reading the key from the database. Though this leaves password reset emails in wake. 

2) The only possible better idea I can suggest would be some kind of system where part of the token information was sent with the email [maybe a random string] and part stored in the database [a hash of that random string]. So, even if you could read the database, you would need the information sent with the email to effect password reset. Though if you had access to comprehensive mail logs on the box, same problem. 

But maybe this isn't as dire as I'm making it out to be..."		closed	contrib.auth	1.0		invalid	password reset token		Unreviewed	0	0	0	0	0	0