[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAfuxnLJgZbeq1x-JUBvUBaGq0mxZ1H4B5nP-SM56zPv1gCHSA@mail.gmail.com>
Date: Mon, 29 Aug 2011 09:23:27 +0200
From: Dan Luedtke <maildanrl@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Dienstplan 2.2 predictive password generation
Disocvered on Tue, 07 Jun 2011
by Dan Luedtke http://www.danrl.de
Abstract
========
Calendar application Dienstplan 2.2 uses predictive passwords in
user-creation and password-reset routines.
About Dienstplan
================
Dienstplan is a web-based calendar application written in PHP targeting
clubs and associations. Registered users may RSVP to sheduled events.
See http://www.thomas-gubisch.de/dienstplan.html for further
information.
Vulnerable Versions
===================
Tested on Dienstplan 2.2, others may be vulnerable
Predictive Password Generation (1/2)
====================================
When a new account is created, the password is derived from the
time()-function, which gives back the current UNIX TIME STAMP. A
non-salted md5-hash of UNIX TIME STAMP becomes the initial password and
is valid until the users changes the password manually.
--[ user_func.php lines 46-49 ]--
// id = 0 -> new user
if($id == 0)
$id = master_addUser($username, $email, md5(time()));
else
--
An attacker (roughly) knowing when a user account was created can
predict the password.
Predictive Password Generation (2/2)
====================================
A user can reset his own password. Unfortunately, everyone having access
to the application via browser can trigger this process for every known
user (e.g. admin). The application then generates a new password as
shown below. The new password is mailed to the user it was generated
for.
--[ user_func.php line 134 ]--
$password = md5(time());
--
An attacker might predict the password, or a set of possible passwords,
by precalculating the md5-hashes of past, current, and future UNIX TIME
STAMPs (e.g. +/-10 seconds, depends on server's offset). He may trigger
the password reset process and log in with one of the precalculated
passwords.
Remarks
=======
* Author responded in less than 24h. A fix was provided soon after that.
* Disclosure has been delayed for 2+ months for users to update their
software.
regards,
danrl
--
Dan Luedtke
http://www.danrl.de (private)
http://www.dlitc.com (company)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists