[ltb-announce] Security issue on Self Service Password

Clément OUDOT clem.oudot at gmail.com
Thu Jun 14 08:06:30 CEST 2018


Hello,

this is an important message if you are using Self Service Password
software (https://ltb-project.org/documentation/self-service-password/).

Waylon Grange from Stage2 Security found an attack that allows to
change user password without knowing the old password. A CVE should be
published soon.

The code is fixed in the git repository and issues are reported here:
* https://github.com/ltb-project/self-service-password/issues/209
* https://github.com/ltb-project/self-service-password/issues/211

You can apply patches from git repository or modify directly the code
to protect against the attack:

-> pages/change.php
-if (isset($_POST["oldpassword"]) and $_POST["oldpassword"]) {
$oldpassword = $_POST["oldpassword"]; }
+if (isset($_POST["oldpassword"]) and $_POST["oldpassword"]) {
$oldpassword = strval($_POST["oldpassword"]); }

-> pages/changesshkey.php
-if (isset($_POST["password"]) and $_POST["password"]) { $password =
$_POST["password"]; }
+if (isset($_POST["password"]) and $_POST["password"]) { $password =
strval($_POST["password"]); }

-> pages/setquestions.php
-if (isset($_POST["password"]) and $_POST["password"]) { $password =
$_POST["password"]; }
+if (isset($_POST["password"]) and $_POST["password"]) { $password =
strval($_POST["password"]); }


The fix will be included in Self Service Password 1.3, which should be
released in a couple of weeks.


Thanks a lot to David and Abdoulaye for their help on resolving this issue.

Clément.


More information about the ltb-announce mailing list