diff options
Diffstat (limited to 'Weak password reset functionalities/Resources/notes.md')
| -rw-r--r-- | Weak password reset functionalities/Resources/notes.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Weak password reset functionalities/Resources/notes.md b/Weak password reset functionalities/Resources/notes.md new file mode 100644 index 0000000..bac2ecd --- /dev/null +++ b/Weak password reset functionalities/Resources/notes.md @@ -0,0 +1,7 @@ +## Exploit + +The `"mail"` field of the **Recover Password** page can be inspected and edited and anyone. Open `http://10.0.2.15/?page=recover` with Firefox and change the value of the `<input name="mail" …>` element before submitting the request. Alternatively, one may also use a script like the one provided in `reset.bash`. + +## Fix + +The problem here is that the server is trusting a client-supplied address instead of looking it up server-side. The client should supply a username/account identifier and the server must match it against its email in the database. |