locked
MVC 5 Reset Password Account Template is Insecure. RRS feed

  • Question

  • User684363852 posted

    Seriously, easier than that only providing the emails in a combo.

    The controller asks for a code, but does not check it against a table to verify what password is supposed to be reseted, any user can reset anyones password.

    I almost did not believe it.

    Thursday, May 22, 2014 6:55 PM

Answers

  • User753101303 posted

    I don't have given this a close look but the code îs generated previously. From what I saw I believe that the pattern is:
    - a user request a password reset: it generates a random token (which perhaps an expiration date ?)
    - then this token is sent as part of a mail request confirmation with a link to the change password view
    - and the password reset will only succeed if this particular token is provided (and perhaps within a particular time frame ?). Unsure but my guess would be that the token is also deleted or mark expired once successfull (so that the same token can't be used again for another password change).

    Not doing that in the controller allows to enforce this mechanism so you have no way around using this reset token (make sure not doing something wicker when trying to implement your own mechanism).

    This is based on a first look and first thought as I'm new myself to the new identity system. Would have to investigate more to see if it works as I expect.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 23, 2014 5:35 AM

All replies

  • User753101303 posted

    Hi,

    Could it be done by UserManager.ResetPasswordAsync that would return an error if the right token value is not provided ? Have you tried and succeeded in changing the password for an arbitrary account ?

    Thursday, May 22, 2014 7:47 PM
  • User684363852 posted

    PatriceSc

    Hi,

    Could it be done by UserManager.ResetPasswordAsync that would return an error if the right token value is not provided ? Have you tried and succeeded in changing the password for an arbitrary account ?

    No I did not, sorry. I saw the parameter being used later.

    Just paniced when i saw code != null, felt like anything goes.

    Anyway I disliked it and did my own. But sorry again.

    Edit:

    Actually i became curious how you did it and i found the hidden value.

    Not a secure breach, but it's possible to inject the code in the hidden and do it... Just saying to give the post a meaning.

    Thursday, May 22, 2014 9:22 PM
  • User753101303 posted

    I don't have given this a close look but the code îs generated previously. From what I saw I believe that the pattern is:
    - a user request a password reset: it generates a random token (which perhaps an expiration date ?)
    - then this token is sent as part of a mail request confirmation with a link to the change password view
    - and the password reset will only succeed if this particular token is provided (and perhaps within a particular time frame ?). Unsure but my guess would be that the token is also deleted or mark expired once successfull (so that the same token can't be used again for another password change).

    Not doing that in the controller allows to enforce this mechanism so you have no way around using this reset token (make sure not doing something wicker when trying to implement your own mechanism).

    This is based on a first look and first thought as I'm new myself to the new identity system. Would have to investigate more to see if it works as I expect.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 23, 2014 5:35 AM