lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 20 Oct 2006 09:24:40 -0500
From: "Mike Klingler" <whitehatguru@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Advisory for Oneorzero helpdesk

Permanant Link : http://www.whitedust.net/speaks/3043/

------------------------------------------------------------
            - Advisory for OneOrZero Helpdesk -
------------------------------------------------------------
 - OneOrZero Helpdesk -

AFFECTED PRODUCTS
=================
OneOrZero Helpdesk v1.6.0 - v1.6.4


OVERVIEW
========
>>From the website: "The OneOrZero Open Source Task Management and Help Desk
System is a powerful task management and help desk application,
based to 'get the job done'."
http://www.oneorzero.com/

An insecure password reset allows external knowledge of what the
password is set to.



DETAILS
=======
1. Information Disclosure

The forgot password function will reset the password after a security question
is answered.  However, the admin user has this password left blank by default
and is often left that way after the program is installed.  By
attempting to reset
the admin password and leaving the answer blank one can force a reset of the
password.  However, since the password reset function sets the password based
only on the username and the time on the server, the password that it is set
to can be determine easily. Once the time of a server is discovered determining
what the password is set to becomes trivial.


POC
===

1.
------

The password is generated with the following code:
$password = time().$_POST[username];

Quite often web servers will return the date on the servers for when
the request is
processed.  For example "Date: Thu, 12 Oct 2006 01:11:21 GMT"

The following command on a linux will return the unix time for the
system for when
the request was processed.

bash$ date --date="Thu, 12 Oct 2006 01:11:21 GMT" "+%s"
1160615001

Which allows us to deduce the return password of 1160615001admin

SOLUTION:
=========
vendor contact:
Info@...orzero.com Sept. 28 Vendor notification.
halla@...orzero.com Sept. 29 Vendor reply

halla@...orzero.com Oct. 10 oneorzero v1.6.5.4 released to address this issue.



Credits
=======
This vulnerability was discovered and researched by
Michael Klingler
whitehatguru at gmail.com
SecurityMetrics, Inc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ