The Reset password functionality can be triggered by visiting an URL such as below
http://127.0.0.1:9090/resetpw?login=user&token=ee11cbb19052e40b07aac0ca060c23ee
The trust establishment in reset password is inherently weak because the login name and token parameter required to execute the password reset is user supplied. Additionally the apparently random key is the MD5 hash of login name which can be easily computed by an attacker.
This issue can be exploited by an attacker to reset any user's password by using an URL such as below
http://127.0.0.1:9090/resetpw?login=<username>&token=<md5(username)>
You can obtain the md5sum for user by running the following
echo -n 'user' | md5sumSolution
Store the password reset request along with a randomly generated token string and expiry
Email a reset link containing that token and username to the user
Validate the reset token for the user before password reset
Fixes
Implemented in the following files
- core/authHandler.js
- models/passreset.js
The fix has been implemented in this commit
The session secret is used is insecure and is used in the example snippets across the web
Vulnerable Code snippet
server.js
...
app.use(session({
secret: 'keyboard cat',
resave: false,
...
This allows an attacker to
- Decrypt a user's session
- Potentially forge the session cookie and bypass authentication
Solution
Always use unique, long, secure random generated for secrets
Fixes
Implemented in the following files
- server.js
- config/server.js
The fix has been implemented in this commit
Recommendation
- Do not copy paste code without understanding what it does
- Rotate session secrets
- Store secrets in environment variables or config files
- Consider using a secret management solution if your scale demands it
References