Authorization Bypass Through User-Controlled Key in emoncms/emoncms

Valid
Reported on Jul 15th 2021

✍️ Description

weak password requirements can lead to account takeover vulnerability as attacker easily can perform Bruteforce attacks.

🕵️‍♂️ Proof of Concept

if a attacker knows the username and email of the your users then attacker easily can reset the victim password and no privileges required for this.

after that attacker trying to Bruteforce the send password.

a sample send password is "e6fb67c24b" that obviously a 5 byte size for password is very weak.(it is exactly 5 byte not 10 character because of used characters are hex and each two hex character make one byte)

and at the end your login page hasn't any captcha verification and attacker can use Bruteforce attack without any problem.

💥 Impact

This vulnerability is capable of take control of any user account.

We have contacted a member of the emoncms team and are waiting to hear back 11 days ago
amammad modified their report
11 days ago
emoncms/emoncms maintainer validated this vulnerability 4 days ago
amammad has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
emoncms/emoncms maintainer confirmed that a fix has been merged on 4745a8 4 days ago
The fix bounty has been dropped
$6.25
emoncms/emoncms maintainer
4 days ago

I've started here by increasing the length of the temporary password to 32 characters or 16 bytes. I will consider captcha verification or another solution to reduce further risk of bruteforce attack? limit the number of retry attempts?

amammad
4 days ago

Researcher


yah my friend this is very good idea

16 bytes equal to 128 bit that in crypto also this is weak, In this days with this computation power the length of any token must be at least 192 bit that equal to 24 bytes, consider this that generated random tokens should have good entropy, this means you should use secure random generators for PHP this is very good document for further information: https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html

Also if you are more interest you could read this good OWASP documentation :

https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length

emoncms/emoncms maintainer
4 days ago

Thank you for your reply and these links Amammad, much appreciated!

amammad
4 days ago

Researcher


You're welcome My Friend.