- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 01.11.2024
Last edited by cbay - 04.11.2024
Opened by waloodi_109 - 01.11.2024
Last edited by cbay - 04.11.2024
FS#92 - A password reset page does not properly validate the authenticity token at the server side.
A password reset page does not properly validate the authenticity token at the server side.
1. Go to https://admin.alwaysdata.com/password/lost/ and request a new password.
2. Go to email, and click on the link.
3. Put the new password, submit and intercept the request; remove the authenticity token from the request and now forward it to the server.
you will see request still got completed, its shows token invalid in the browser but you can refresh the page and you see that user is logged in with new password.
Thanks,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I cannot reproduce. If I remove the 'token' parameter, I get:
Even if I refresh multiple times.
Can you give me the link, without the 'token' parameter, that works?
Kind regards,
Cyril
oky i will see again
I am still reproducing this issue, i will make a video for easy understanding
I only need a link, not a video.
1. Go to https://admin.alwaysdata.com/password/lost/ and request a new password.
2. Go to email, and copy the link and paste it into Mozilla Firefox.
3. Put the new password, submit and intercept the request into Firefox; remove the authenticity token from the request and now forward it to the server.
Sir, you can try this one
What you do mean by "the authenticity token"? Use proper terms (e.g. I removed the the "foo" header from the request) or send a video.
Take this link and try https://admin.alwaysdata.com/user/reset_password/?user_id=7o78&token=1730732919-822f5ec34e427cc6fc9f&expiration=1730992119
Video Link: https://www.dropbox.com/scl/fi/sig1nxqzbbrj285mh7ur8/bandicam-2024-11-04-19-54-18-005.mp4?rlkey=3w56cotrl18d2r1ip7rwp6320&st=r1x7t4ww&dl=0
The password forgotten link stops being valid once you've connected to the administration, which is automatically done (through a HTTP redirect) when you change the password.
But when i am removing the token, it showing token is invalid in the browser but after refreshing the browser it showing me to logged in the id with new password, there is a misconfiguration in the server side.