Skip to content
Permalink
Browse files

Fix h1 report 98612

Information Exposure Through Discrepancy
----------------------------------------

Karan M. Tank and Smit B. Shah have reported via HackerOne that it was
possible to check whether or not an email address was associated to one or
more user accounts on a target Revive Adserver instance by examining the
message printed by the password recovery system. Such information cannot
however be used directly to log in to the system, which requires usernames
instead.

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-203
CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
  • Loading branch information...
mbeccati committed Nov 20, 2015
1 parent a323fd6 commit 38223a841190bebd7a137c7bed84fbbcb2b0c2a5
Showing with 3 additions and 6 deletions.
  1. +3 −5 lib/OA/Admin/PasswordRecovery.php
  2. +0 −1 lib/max/language/en/default.lang.php
@@ -107,11 +107,9 @@ function handlePost($vars)
$this->displayRecoveryRequestForm($GLOBALS['strEmailRequired']);
} else {
$sent = $this->sendRecoveryEmail(stripslashes($vars['email']));
if ($sent) {
$this->displayMessage($GLOBALS['strNotifyPageMessage']);
} else {
$this->displayRecoveryRequestForm($GLOBALS['strPwdRecEmailNotFound']);
}
// Always pretend an email was sent, even if not to avoid information disclosure
$this->displayMessage($GLOBALS['strNotifyPageMessage']);
}
} else {
if (empty($vars['newpassword']) || empty($vars['newpassword2']) || $vars['newpassword'] != $vars['newpassword2']) {
@@ -1067,7 +1067,6 @@
$GLOBALS['strForgotPassword'] = "Forgot your password?";
$GLOBALS['strPasswordRecovery'] = "Password recovery";
$GLOBALS['strEmailRequired'] = "Email is a required field";
$GLOBALS['strPwdRecEmailNotFound'] = "Email address not found";
$GLOBALS['strPwdRecWrongId'] = "Wrong ID";
$GLOBALS['strPwdRecEnterEmail'] = "Enter your email address below";
$GLOBALS['strPwdRecEnterPassword'] = "Enter your new password below";

0 comments on commit 38223a8

Please sign in to comment.
You can’t perform that action at this time.