Small Space of Random Values in francoisjacquet/rosariosis

Valid

Reported on

Apr 26th 2022

Description

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Vulnerable code snippet

$password = $staff['USERNAME'] . rand( 1000, 9999 );

Impact

Attacker can guess password at maximum 9000 tries.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
François
a year ago

Maintainer

Hello @intrapus

Thank you very much for reporting the issue. Please note, administrators can enable "Ban after X failed login attempts" and "Change password on first login" options to mitigate brute force attacks. The user still has to type his generated password at least once. So I will raise 9999 to no more than 9999999999 in order to keep things reasonable.

François Jacquet validated this vulnerability a year ago
intrapus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 8.9.5 with commit 1e1c7f a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
NotifyParents.php#L60 has been validated
to join this conversation