Authorization Bypass Through User-Controlled Key in emoncms/emoncms


Reported on

Jul 15th 2021

✍️ Description

weak password requirements can lead to account takeover vulnerability as attacker easily can perform Bruteforce attacks.

🕵️‍♂️ Proof of Concept

if a attacker knows the username and email of the your users then attacker easily can reset the victim password and no privileges required for this.

after that attacker trying to Bruteforce the send password.

a sample send password is "e6fb67c24b" that obviously a 5 byte size for password is very weak.(it is exactly 5 byte not 10 character because of used characters are hex and each two hex character make one byte)

and at the end your login page hasn't any captcha verification and attacker can use Bruteforce attack without any problem.

💥 Impact

This vulnerability is capable of take control of any user account.

We have contacted a member of the emoncms team and are waiting to hear back 2 years ago
amammad modified the report
2 years ago
emoncms/emoncms maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
emoncms/emoncms maintainer marked this as fixed with commit 4745a8 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
emoncms/emoncms maintainer
2 years ago

I've started here by increasing the length of the temporary password to 32 characters or 16 bytes. I will consider captcha verification or another solution to reduce further risk of bruteforce attack? limit the number of retry attempts?

2 years ago


yah my friend this is very good idea

16 bytes equal to 128 bit that in crypto also this is weak, In this days with this computation power the length of any token must be at least 192 bit that equal to 24 bytes, consider this that generated random tokens should have good entropy, this means you should use secure random generators for PHP this is very good document for further information:

Also if you are more interest you could read this good OWASP documentation :

emoncms/emoncms maintainer
2 years ago

Thank you for your reply and these links Amammad, much appreciated!

2 years ago


You're welcome My Friend.

to join this conversation