Forcepoint Secure Messaging 8.5 Password Reset Fail

2018.11.07
Credit: Eitan Shav
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

When the user wants to reset his password, he then gets a password reset link to his mail. (The reset password page is made of "new password" field and "reset password" button) This password reset link will be valid only if: 1.the link wasn't used before. 2.the link was used within 24 hours of the password reset request. If the conditions are not met, the user will get some error message saying "this link is not valid anymore" so that the password reset process will not proceed and the password field and the "reset password" button will be greyed-out. BUT, if the users changes the disabled property of the password input field and the reset button inside the page's DOM he is able to restore it's functionality and reset the password. So if an attacker gets this link, even if it's not valid anymore, he is able to reset the password of a specific user and then get into his account screen shots of POC: 1. https://eitrnel.000webhostapp.com/frcpnt/delete.the.disabled.value.png 2. https://eitrnel.000webhostapp.com/frcpnt/reset.mechanisem.recoverd.png 3. https://eitrnel.000webhostapp.com/frcpnt/post.req.to.the.server.png

References:

https://eitrnel.000webhostapp.com/frcpnt/delete.the.disabled.value.png
https://eitrnel.000webhostapp.com/frcpnt/reset.mechanisem.recoverd.png
https://eitrnel.000webhostapp.com/frcpnt/post.req.to.the.server.png


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top