lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Nov 2018 09:01:13 +0000
From: Eitan shav <eitan@...adel.co.il>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Security issue in the password reset mechanism of Forcepoint
 Secure Messaging product (tested in version 8.5)

When the user wants to reset his password, he then gets a password reset link to his mail. (The reset password page is made of "new password"
field and "reset password" button)

This password reset link will be valid only if:
1.the link wasn't used before.
2.the link was used within 24 hours of the password reset
request.

If the conditions are not met, the user will get some
error message saying "this link is not valid anymore" so that the password reset process will not proceed and the password field and the "reset password" button will be greyed-out.

BUT, if the users changes the disabled property of the password input field and the reset button inside the page's DOM he is able to restore it's functionality and reset the password.
So if an attacker gets this link, even if it's not valid anymore,
he is able to reset the password of a specific user and then get into his account

screen shots of POC:


  1.  https://eitrnel.000webhostapp.com/frcpnt/delete.the.disabled.value.png
  2.  https://eitrnel.000webhostapp.com/frcpnt/reset.mechanisem.recoverd.png
  3.  https://eitrnel.000webhostapp.com/frcpnt/post.req.to.the.server.png



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists