← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #55400

[Bug 1333096] Re: Password reset key leaked via HTTP "Referer" field

  Thread PreviousDate PreviousThread Next 
I fixed the flaws through following given steps. beside this AOL email
is much easier and better than any other email service. it is secure and
very convenient as well. Facing any difficulty with Forgot AOL Password
so must check the website http://www.aolhelp247.com/aol-forgot-password/
to get best solution.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1333096

Title:
  Password reset key leaked via HTTP "Referer" field

Status in Mahara:
  Fix Released
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released

Bug description:
  If a site has resources on external domains, and a user clicks the
  link in a "forgot password" email, then the key to reset their
  password gets sent to those external domains via the "Referer" field
  of the HTTP request. External resources could be from the Persona
  plugin (which loads up a javascript file from the main Persona
  server), from the $CFG->additionalhtml field including a Piwik or
  Google tracking cookie, or other sources.

  To replicate:

  1. Turn on the Persona authentication plugin

  2. Log out of Mahara

  3. Click the "Lost username / password" link

  4. You'll receive a password reset email. It will contain a link like
  this: "https://mahara.example.com/forgotpass.php?key=3wKYEeGdBI2J5jSc";

  5. In your web browser, turn on a tool that lets you view HTTP
  requests and their headers.

  6. Load the password reset link

  Result: You'll see the "key" param of forgotpass.php being sent to the
  persona.org servers:

  Host=login.persona.org
  User-Agent=Mozilla/5.0 (Windows NT 6.3; rv:30.0) Gecko/20100101 Firefox/30.0
  Accept=*/*
  Accept-Language=en-US,en;q=0.5
  Accept-Encoding=gzip, deflate
  Referer=https://mahara.example.com/forgotpass.php?key=3wKYEeGdBI2J5jSc
  Connection=keep-alive

  The password reset process happens takes two page loads. The first
  page load displays the "new password" form to the user, and the second
  page load actually changes their password and expires the key.

  So that means this is actually abuseable. An attacker who had a
  resource that gets included in each page load could, in theory, listen
  for that key in the referer field, and then quickly use it to reset
  the password themselves.

  Low priority because this attack requires the attacker to have
  compromised the system already. And there's only a slim window of
  opportunity. They have to use the key after the new password screen is
  loaded, but before the user fills it out and submits it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1333096/+subscriptions
  Thread PreviousDate PreviousThread Next