View Revisions: Issue #22690

Summary 0022690: CVE-2017-7615: Account verification page allows resetting any user's password
Revision 2017-04-09 12:12 by vboctoradmin
Description

John Page AKA hyp3rlinx reported the following security issue by e-mail:

I want to report and make you aware of following security issue, attackers can hijack accounts if only supplying the user ID and username.

In verify.php we find:

if( $f_confirm_hash != $t_token_confirm_hash ) {

If supply empty string we easily bypass security check.

e.g. go to this URL in browser after you logout of mantis.

http://127.0.0.1/mantisbt-2.3.0/mantisbt-2.3.0/verify.php?id=1&confirm_hash=

This will then allow you to change passwords and hijack accounts.

For credits use:

John Page aka hyp3rlinx / ApparitionSec
hyp3rlinx.altervista.org
Revision 2017-04-08 10:07 by dregad
Description

John Page AKA hyp3rlinx reported the following security issue by e-mail:

I want to report and make you aware of following security issue, attackers can hijack accounts if only supplying the user ID and username.

In verify.php we find:

if( $f_confirm_hash != $t_token_confirm_hash ) {

If supply empty string we easily bypass security check.

e.g. go to this URL in browser after you logout of mantis.

http://127.0.0.1/mantisbt-2.3.0/mantisbt-2.3.0/verify.php?id=1&confirm_hash=

This will then allow you to change passwords and hijack accounts.