Summary
password recovery method in flaskBlog failed to validate username and email. This allows random users to change any other users' passwords, including admin's.
Details
passwordReset() in file routes/passwordReset.py contains a logic flaw in validation. It only checks whether email and username exist in database. It doesn't check if email address actually belongs to requested user account.
PoC
- register a user with any email address.
-
log out and navigate to the password reset page
-
submit target username (like admin) and former email address.
-
Then application sends a password reset code to the attacker's email
-
This reset code can be used to reset admin's account password and login as admin.
Impact
This allow any new register users recover passwords of any other users (including admin) and take control of arbitrary user accounts / gain admin access.
Cycloctane Reporter
Summary
password recovery method in flaskBlog failed to validate username and email. This allows random users to change any other users' passwords, including admin's.
Details
passwordReset()in fileroutes/passwordReset.pycontains a logic flaw in validation. It only checks whether email and username exist in database. It doesn't check if email address actually belongs to requested user account.PoC
log out and navigate to the password reset page
submit target username (like admin) and former email address.
Then application sends a password reset code to the attacker's email
This reset code can be used to reset admin's account password and login as admin.
Impact
This allow any new register users recover passwords of any other users (including admin) and take control of arbitrary user accounts / gain admin access.