Password Reset Vulnerability

Password Reset is the cause of some common vulnerabilities. For example, the user name enumeration Vulnerability (the user name in the database does not exist and the Password error shows different error information), sensitive information is exposed (the plaintext password is sent to the user through e-mail) password Reset message hijacking (the Attacker receives the password reset information) are common vulnerabilities in the password reset function.
Many developers do not really understand the dangers caused by password reset. This blog post tells you what harm the password reset function developed by developers who do not comply with the basic security rules will bring.
For example, a strong password reset function will generate a token and send an email containing the token to connect to the user.
Tokens should have the following characteristics:

Contains 64 characters or more

Uniqueness

Randomness

One-time

Has a short life cycle (such as expiration within 24 hours)

When you click this link, the application must check whether the token is valid.
If the token is valid, the application must deregister the token so that it cannot be reused and allow users to change their own passwords.
In addition, if the user tries to reset the password for the second time, the application must cancel the old password reset request and generate a new reset request before completing the first reset process.
To improve security, you can also use dual user identity authentication (but not required ).
For example, ask the user to answer the previously entered privacy questions (for example, my aunt's name is Shenma) or confirm the verification code sent to the user's mobile phone.
Now, let's analyze a real and poorly designed password recovery system,List all related security vulnerabilities and try to write POC

<?php  2:    3:  /* generates a new random password */  4:  function generatePassword() {  5:       $chars = array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9");       6:       for ($i = 0; $i < 10; $i++){            7:            $password .= $chars[rand(0,35)];  8:       }  9:       return $password;  10:  }  11:    12:  /* send the new password to the user e-mail and update the database */  13:  if ($_REQUEST['mail']) {       14:       $con = new Connection();  15:       $con->sql = "  SELECT usr_user.id,   16:                      usr_user.name,   17:                      usr_user.email,   18:                      usr_user.password  19:                  FROM  usr_user   20:                  WHERE  usr_user.email = '" . $_REQUEST['mail'] . "'  21:                  ORDER  BY id DESC ";  22:       $res = $con->executeQuery();  23:       if (is_array($res)){  24:            $usr = $res[0];  25:            $password = generatePassword();  26:            $con->sql = "UPDATE usr_user SET password = MD5(trim('".$password."')) WHERE email = '" . $_REQUEST['mail'] . "' ";  27:            $con->executeQuery();  28:              29:            /* headers */  30:            $headers = "MIME-Version: 1.0\r\n";  31:            $headers .= "Content-type: text/html; charset=iso-8859-1\r\n";  32:    33:            /* aditional headers */  34:            $headers .= "To: " . $usr->name . " <" .="" 35:="" headers="" 36:="" 37:="" message="" body="" 38:="" html="" 39:="" usr-="">name . '';  40:            $html .= '';  41:            $html .= '';  42:            $html .= '';  43:            $html .= '';  44:         45:            /* Send e-mail to user with his new password  46:            if (mail($_REQUEST['mail'], "Your new administrative password", $html, $headers)){  47:                 $message = "Your new password was sent to: " . $_REQUEST['mail'];  48:                 $success = true;  49:            }  50:       } else {            51:            $message = "The provided e-mail is invalid";  52:            $success = false;  53:       }  54:         55:  }  56:    57:  ?>

(1) User Name Enumeration
The most obvious vulnerability is the user name enumeration vulnerability. The user submits an email address. If the email address exists, the system returns a message.

"Your new password has been sent to: LanLan@wyl.com"

If the email address is not registered, the system returns

"The provided e-mail is invalid"

(2) Denial of Service
The second vulnerability is dos.
This system has a function to generate a random password. Attackers can write a script to continuously reset the password (the original article provides 15 seconds each time, wondering if the frequency is low)
In addition, the user name enumeration vulnerability can cause greater harm and can be used to change the password of any user. (Although you cannot receive the password, it can also cause a lot of trouble to the user)
(3) Sensitive Information Leakage
The third vulnerability is the leakage of sensitive information, because the system uses plaintext to send the password to the user via email, and the user does not log on the next time
Force the user to change the password. If attackers obtain the user's email information (which is not very easy in fact), they can log on to the system using the password in the email.
(4) SQL Injection
The fourth injection vulnerability is also obvious. The data submitted by the user is not filtered and directly substituted into the query statement. There are also many ways to use the data. This structure can change the passwords of all users or cause DoS attacks.

Input: ’ or 1=1%23

First SQL becomes (Line 15): SELECT usr_user.id, usr_user.name, usr_user.email, usr_user.password FROM usr_user WHERE usr_user.email = ’’ or 1=1#’ ORDER   BY id DESC

Second SQL becomes (Line 26): UPDATE usr_user SET password = MD5(trim(‘xxxxxxxxxx’)) WHERE email like ’’ or 1=1#’

This injection point can also be used for blind injection to guess some sensitive information.
(5) Cross-Site Scripting Vulnerability
The fifth vulnerability can also be clearly found. The mail Parameters entered by the user are included in the email content (without any filtering). This vulnerability must be used together.
SQL Injection Vulnerability

User Input: ’ or 1=1%23<script>alert(1)</script>

First SQL becomes (Line 15): SELECT usr_user.id, usr_user.name, usr_user.email, usr_user.password FROM usr_user WHERE usr_user.email = ’’ or 1=1#<script>alert(1)</script>‘ ORDER   BY id DESC

Second SQL becomes (Line 26): UPDATE usr_user SET password = MD5(trim(‘xxxxxxxxxx’)) WHERE email like ’’ or 1=1#<script>alert(1)</script>‘

Response Message (Line 47): Your new password was sent to: ’ or 1=1#<script>alert(1)</script>

When the preceding data is submitted, the system first modifies the passwords of all users and then sends a file containing malicious scripts to all users.
(6) password reset information hijacking
The last vulnerability is password reset information hijacking, which is also a serious hazard. The cause is that the user submitted the data mail (which is the same) is included in the MIME header. The exploitation of this vulnerability also needs to be combined with SQL injection:

User Input: LanLan@wyl.com%00’ or 1=1%23

First SQL becomes (Line 15): SELECT usr_user.id, usr_user.name, usr_user.email, usr_user.password FROM usr_user WHERE usr_user.email = ’LanLan@wyl.com[null byte char]’ or 1=1#’ ORDER   BY id DESC 

Second SQL becomes (Line 26): UPDATE usr_user SET password = MD5(trim(‘xxxxxxxxxx’)) WHERE email like ’LanLan@wyl.com[null byte char]’ or 1=1#’

MIME Header becomes (Line 34): To: John Smith <LanLan@wyl.com[null byte char]’ or 1=1#>

The result of executing the above Code is that the user password is modified, and the modified email will be sent to the LanLan@wyl.com, where [null byte char] Will truncate the information in the mini Header
Recently, Freebuf sent an email injection post, which I think can be used in this case), But I think [null byte char] In many databases will also be truncated for queries, no tests are conducted here. If you are interested, you can test them.
Hope you enjoy!
Keep Hacking!
[Original article address, translated/FreeBuf practice editor wyl]