Skip to content

[CVE-2021-41694] Weak password recovery function #18

Description

@Sh4d0v

requests\user.php contains code for password recovery:

case 'recover':
(…)
$code = md5($time);
$mysqli->query("INSERT INTO emails (type,uid,code) VALUES (1,'".$user->id."', '".$code."')"); $link = $sm['config']['site_url']."/index.php?page=recover&code=".$code."&id=".$user->id; $name = $user->name;
$email = $user->email;
forgotMailNotification($name,$email,$link);

md5($time) function is used to generate a secret recovery code. Since it is super easy to predict time value on the server (for example, by Nginx Date header from the response) – it is possible to use bruteforce approach to guess the code.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions