Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in postfixadmin/postfixadmin

Valid

Reported on

Aug 2nd 2021


✍️ Description

uniqid is used as input to MD5 when generating a PFA_TOKEN (I'll refer to this as a session token) - the function uniqid is not a CSPRNG but rather is a PRNG meaning that it cannot generate cryptographically reliable/secure values.

🕵️‍♂️ Proof of Concept

Execute the below code:

<?php
    for ( $i = 0; $i < 50; $i++ ) {
        $val = uniqid( "", true );
        echo "#$i: ".$val." = \"".md5( $val )."\"</br>";
    }
?>

Notice how the values on the right may seem random, the ones on the left are incredibly similar and would prove easy for an attacker to guess/brute-force.

💥 Impact

This vulnerability is capable of being able to take over user-sessions by brute-forcing PFA_TOKENs.

Michael Rowley
4 months ago

Researcher


See this & this

Michael Rowley
4 months ago

Researcher


@admin in response to the issue that was automagically opened as the bot couldn't find a SECURITY.MD, the maintainer has created one that says 'GingerDog' or 'cboltz' can be contacted via the email that can be found in their git changelogs. From git log in my terminal, it seems like their emails are david@codepoets.co.uk & postfixadmin@cboltz.de so I'm not sure if you need to send them huntr.dev maintainer links via those email addresses manually as they aren't on the new SECURITY.MD page.

Ziding Zhang
4 months ago

Admin


Hey Michael, you're right, our process is to check up on these created issues and then manually send them the magic maintainer links.

Will be getting on this right now; I'll update you once emails have been sent.

Michael Rowley
4 months ago

Researcher


That's good to hear, I thought it was all automated (some sort of callback when a SECURITY.MD was created maybe and then REGEX that file for a email)

Ziding Zhang
4 months ago

Admin


Hey Michael, just sent them both an email. Thanks for your proactivity.

Ziding Zhang
4 months ago

Admin


And you're right again by the way - if an email is detected, we'll send them the links automatically. Else, we will manually facilitate!

Michael Rowley
4 months ago

Researcher


Ah that makes sense, thanks for the insight!

Ziding Zhang
4 months ago

Admin


Thanks for your quality reports!

We have contacted a member of the postfixadmin team and are waiting to hear back 4 months ago
We have contacted a member of the postfixadmin team and are waiting to hear back 4 months ago
postfixadmin/postfixadmin maintainer
4 months ago

Hi - thanks for reporting the issue. I appreciate having someone else look at the code and help make it more secure for everyone.

PostfixAdmin uses the session variable 'PFA_token' as a means of preventing a CSRF request. The value of the PFA_token should be embedded in pages where someone may be submitting a form..... when the form is submitted we check that the submitted value of the PFA_token matches up with what is in the session.

I'll change the code to include random_bytes(8) so there's more random-ness used in the PFA_token value, but it feels like it'd be hard to trigger/exploit this in any case.

So if you're able to accurately tell what the time on the server is, you could therefore presumably calculate what the uniqid value would be, and therefore the md5 value used in the page .... and hence perform a CSRF request.

I'm not quite sure I'd agree with :

"This vulnerability is capable of being able to take over user-sessions by brute-forcing PFA_TOKENs."

I could see some additional randomness might be desirable to avoid a possible CSRF issue though.

postfixadmin/postfixadmin maintainer
4 months ago

Ergh, sorry, my reply is a bit jumbled up - I think I lost some of what was in the text box or something.

Better version :

I think this only affects the CSRF protection we have in place.

I'll change the code to use more entropy in the population of the PFA_token value.

I think this would be difficult to exploit, unless you could tell the exact time someone logged into Postfixadmin.

Michael Rowley
4 months ago

Researcher


Ah you're right, I thought that PFA_TOKENs were session tokens and therefore had a higher value than they actually do - I can't think of any reasonable way to exploit this as I looked into injecting CSRF tokens into requests but couldn't find a reliable way to do so (with JavaScript at least). The severity of this report is way higher than it should be due to the tokens only being CSRF tokens, I'm not sure I can manually lower the severity of this report but if you or @admin could I'd appreciate it!

Michael Rowley
4 months ago

Researcher


Also, would it be possible for you to validate the report and mark your commit (25ac89f6a7a51b34043fad388b7f81e4e07994e9) as the fix?

postfixadmin/postfixadmin maintainer confirmed that a fix has been merged on 25ac89 4 months ago
The fix bounty has been dropped
postfixadmin/postfixadmin maintainer
4 months ago

(Is that ok?)

Jamie Slome
4 months ago

Admin


@michael - let me know what CVSS would be preferred here, and we can adjust!

Michael Rowley
4 months ago

Researcher


Yeah that seems fine, a score of 3.0 is what I calculated given the adjustments in scope.

Jamie Slome
4 months ago

Admin


Changed CVSS to 3.0 - cheers! 🎉

Michael Rowley
4 months ago

Researcher


Thanks!