FS#92 : A password reset page does not properly validate the authenticity token at the server side.

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 01.11.2024
Last edited by cbay - 04.11.2024

FS#92 - A password reset page does not properly validate the authenticity token at the server side.

A password reset page does not properly validate the authenticity token at the server side.

1. Go to https://admin.alwaysdata.com/password/lost/ and request a new password.
2. Go to email, and click on the link.
3. Put the new password, submit and intercept the request; remove the authenticity token from the request and now forward it to the server.
you will see request still got completed, its shows token invalid in the browser but you can refresh the page and you see that user is logged in with new password.

Thanks,

Waleed Anwar

Closed by cbay
04.11.2024 15:18
Reason for closing: Duplicate
Additional comments about closing:

https://security.alwaysda ta.com/task/82

04.11.2024: A request to reopen the task has been made. Reason for request: Its not a request expiration method, you can see clearly in video the browser shows the token is invalid but when you are refreshing the page it will redirecting you the login to the id, because token is not validated to the server side.

Comments (10)
Related Tasks (0/0)

cbay commented on 04.11.2024 09:09

Hello,

I cannot reproduce. If I remove the 'token' parameter, I get:

The link used is invalid. Please make a new password reset request.

Even if I refresh multiple times.

Can you give me the link, without the 'token' parameter, that works?

Kind regards,
Cyril

waloodi_109 commented on 04.11.2024 12:18

oky i will see again

waloodi_109 commented on 04.11.2024 12:24

I am still reproducing this issue, i will make a video for easy understanding

cbay commented on 04.11.2024 12:52

I only need a link, not a video.

waloodi_109 commented on 04.11.2024 14:46

1. Go to https://admin.alwaysdata.com/password/lost/ and request a new password.
2. Go to email, and copy the link and paste it into Mozilla Firefox.
3. Put the new password, submit and intercept the request into Firefox; remove the authenticity token from the request and now forward it to the server.

Sir, you can try this one

cbay commented on 04.11.2024 15:08

What you do mean by "the authenticity token"? Use proper terms (e.g. I removed the the "foo" header from the request) or send a video.

waloodi_109 commented on 04.11.2024 15:09

Take this link and try https://admin.alwaysdata.com/user/reset_password/?user_id=7o78&token=1730732919-822f5ec34e427cc6fc9f&expiration=1730992119

waloodi_109 commented on 04.11.2024 15:13

Video Link: https://www.dropbox.com/scl/fi/sig1nxqzbbrj285mh7ur8/bandicam-2024-11-04-19-54-18-005.mp4?rlkey=3w56cotrl18d2r1ip7rwp6320&st=r1x7t4ww&dl=0

cbay commented on 04.11.2024 15:18

The password forgotten link stops being valid once you've connected to the administration, which is automatically done (through a HTTP redirect) when you change the password.

waloodi_109 commented on 04.11.2024 15:27

But when i am removing the token, it showing token is invalid in the browser but after refreshing the browser it showing me to logged in the id with new password, there is a misconfiguration in the server side.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task