Authorization Bypass Through User-Controlled Key in emoncms/emoncms
Reported on
Jul 15th 2021
✍️ Description
weak password requirements can lead to account takeover vulnerability as attacker easily can perform Bruteforce attacks.
🕵️♂️ Proof of Concept
if a attacker knows the username and email of the your users then attacker easily can reset the victim password and no privileges required for this.
after that attacker trying to Bruteforce the send password.
a sample send password is "e6fb67c24b" that obviously a 5 byte size for password is very weak.(it is exactly 5 byte not 10 character because of used characters are hex and each two hex character make one byte)
and at the end your login page hasn't any captcha verification and attacker can use Bruteforce attack without any problem.
💥 Impact
This vulnerability is capable of take control of any user account.
Occurrences
I've started here by increasing the length of the temporary password to 32 characters or 16 bytes. I will consider captcha verification or another solution to reduce further risk of bruteforce attack? limit the number of retry attempts?
yah my friend this is very good idea
16 bytes equal to 128 bit that in crypto also this is weak, In this days with this computation power the length of any token must be at least 192 bit that equal to 24 bytes, consider this that generated random tokens should have good entropy, this means you should use secure random generators for PHP this is very good document for further information: https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html
Also if you are more interest you could read this good OWASP documentation :
https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length
Thank you for your reply and these links Amammad, much appreciated!