Unverified Password Change in zmister2016/mrdoc

Valid

Reported on

Oct 16th 2021


Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

image

Proof of Concept

https://github.com/zmister2016/MrDoc/blob/master/app_admin/views.py#L985

# 普通用户修改密码
@login_required()
@logger.catch()
def change_pwd(request):
    if request.method == 'POST':
        try:
#  Without verifying the original password
            password = request.POST.get('password',None)
            password2 = request.POST.get('password2',None)
            print(password, password2)
            if password and password== password2:
                if len(password) >= 6:
                    user = User.objects.get(id=request.user.id) 
                    user.set_password(password)
                    user.save()

Impact

This vulnerability is capable of

  • setting a new password for a user without knowing the original password,
  • in some certain cases (such as XSS attack), the attacker could directly modify the password with just a valid session

recommended fix

  • validate the original password befroe saving new password
We have contacted a member of the zmister2016/mrdoc team and are waiting to hear back 2 months ago
hi-unc1e
a month ago

Researcher


hello, is there any update?

We have sent a second follow up to the zmister2016/mrdoc team. We will try again in 10 days. a month ago
zmister2016 validated this vulnerability a month ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
zmister2016 confirmed that a fix has been merged on 232414 a month ago
zmister2016 has been awarded the fix bounty