[ltb-dev] [LDAP Tool Box - Bug #298] (Closed) security issue in email password reset

noreply at lsc-project.org noreply at lsc-project.org
Fri Mar 25 16:13:22 CET 2011


Issue #298 has been updated by Clément Oudot.

Status changed from Assigned to Closed
% Done changed from 70 to 100

Some work done:
* r157: force output buffering desactivation
* r158: encrypt/decrypt functions
* r159: use encrypt/decrypt with tokens

The token lifetime will be managed in #289 and #290.
----------------------------------------
Bug #298: security issue in email password reset
http://tools.lsc-project.org/issues/298

Author: Matthias Ganzinger
Status: Closed
Priority: High
Assigned to: Clément Oudot
Category: Self Service Password
Target version: self-service-password-0.5


Anybody, who knows the username and email address of another user can reset that persons password *without having access to the corresponding email account.*

The reason for this is the us of the php session id as the email token. The session id is regularly sent to the requester's web browser as a cookie. However, the requestor does not necessarily have to be the owner of the account to be reset. The requester can easily read the session id from his browsers cookie store and compose a valid reset url without having access to the email sent to the account owner.

To cope with this problem, I propose the following:

* Do no longer use the php session id as the token
* instead, use an ancrypted token. The encryption key must only be stored on the server. The token will not be sent to the webbrowser.
* The token might contain the login name and a timestamp. This has the additional benefit of a token lifetime that is independent of the php session life time


I did a proof of concept implementation of my suggestion:


In file config.inc.php I added two parameters:

<pre>
# secret to encrypt email token
$keyphrase = "secret";

#lifetime (in seconds) of token for email password reset
$token_lifetime = 60*60
</pre>


In file functions.inc.php I added two functions for encrypting (AES256) / decrypting and base64 encoding / deconding the token:

<pre>
function enctoken($token)
function dectoken($token)
</pre>


In File sendtoken.php the token is generated in section "Send token by mail":

<pre>
    # create the token
    $token =  time() .";" . $login;
    $enctoken = enctoken($token);
    # Build reset by token URL
    $method = "http";
    if ( $_SERVER['HTTPS'] ) { $method .= "s"; }
    $server_name = $_SERVER['SERVER_NAME'];
    $script_name = $_SERVER['SCRIPT_NAME'];

    $reset_url = $method."://".$server_name.$script_name."?action=resetbytoken&token=".$enctoken;
</pre>


Finally, in file resetbytoken.php the token is validated in section "Get token":

<pre>
    $dectoken = dectoken($_REQUEST["token"]);
    $tokentime = strstr($dectoken, ';', true);
    $login = substr($dectoken, strpos($dectoken, ';')+1);
</pre>

and the token lifetime is checked:

<pre>
    if ( time() - $tokentime > $token_lifetime ) {
        $result = "tokennotvalid";
        error_log("Token lifetime expired");
    }
</pre>


Thank you for your nice library! I hope my suggestions are helpful.

Kind regards,


Matthias


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20110325/5228910d/attachment.htm>


More information about the ltb-dev mailing list