MantisBT - TestLink
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008827||TestLink||Security - General||public||2019-12-20 15:53||2020-01-03 19:10|
|Priority||urgent||Severity||major||Reproducibility||have not tried|
|Product Version||1.9.19.01 (1.9.19 fixes)|
|Fixed in Version|
|Issue Report Quality|
|Database (MySQL,Postgres,etc)||MySQL 5.7.24|
|QA Team - Task Workflow Status|
|Summary||0008827: Admin password was reset by intruder|
Dear Testlink support,
Out of the blue we got an email stating that admin password was reset.
We confirm that with the admin user:
1 - We could not login with the old password
2 - We could login with the new password as received at the email
We proceed to disconnect the machine from network access and verify the logs.
At the audit logs and at the same time of the received email we found out that the reset was request by someone without a session - check attached picture 1.
Consequently we also saw on the audits log the successful login done by us afterwards, check attached picture 2, this time showing a session id.
This looks like an exploit of a vulnerability. We have not find any information regarding this either here or on the internet.
Please advice ASAP.
|Steps To Reproduce|
|Tags||No tags attached.|
|Attached Files|| auditsLogs_screenshot.zip (205,323) 2019-12-20 15:53|
|2019-12-20 15:53||filipse||New Issue|
|2019-12-20 15:53||filipse||File Added: auditsLogs_screenshot.zip|
|2019-12-28 12:05||fman||Note Added: 0029347|
|2019-12-28 12:06||fman||Assigned To||=> fman|
|2019-12-28 12:06||fman||Status||new => feedback|
|2020-01-03 19:10||filipse||Note Added: 0029387|
|2020-01-03 19:10||filipse||Status||feedback => assigned|