Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
26 lines (13 sloc) 1.58 KB


Vendor: Center for Computational Research, University at Buffalo

Product: Open XDMoD

Affected versions: < 8.0

Open XDMoD is an open source tool to facilitate the management of high performance computing resources. It is widely deployed at academic, industrial, and government HPC centres. The web interface is written in PHP. The vulnerabilities discussed in this report have been discovered in version 7.5, and will be addressed in the upcoming 8.0 release.

Authentication bypass

Essentially, password reset tokens are generated using the following algorithm:

MD5(CONCAT(username, password_last_updated))

When validating a token, the application makes the following SQL query:

SELECT id, first_name FROM Users WHERE MD5(CONCAT(username, password_last_updated)) = reset_token

If at least one row is returned, the first match is taken. There is no check to ensure that a token is expected (i.e. that a token has been issued by the application). Additionally, tokens are easily forged. It is possible for an attacker to limit the token search space by prompting a user to change their password. A ten minute window results in just 600 possible tokens, as the "password_last_updated" value is stored in a MySQL timestamp column which is truncated to whole seconds. It may be very easy to attack the admin account if the system install time is known and the admin password has not been changed since that time.

The vendor has patched the vulnerability in a subsequent release.

See also CVE-2018-16961, CVE-2018-16960.

You can’t perform that action at this time.