MantisBT - TestLink
View Issue Details
0008827TestLinkSecurity - Generalpublic2019-12-20 15:532020-01-03 19:10
filipse 
fman 
urgentmajorhave not tried
assignedopen 
LinuxRedHat7.7
1.9.19.01 (1.9.19 fixes) 
 
MySQL 5.7.24
7.2.10
0008827: Admin password was reset by intruder

Dear Testlink support,

Out of the blue we got an email stating that admin password was reset.

We confirm that with the admin user:
1 - We could not login with the old password
2 - We could login with the new password as received at the email

We proceed to disconnect the machine from network access and verify the logs.

At the audit logs and at the same time of the received email we found out that the reset was request by someone without a session - check attached picture 1.

Consequently we also saw on the audits log the successful login done by us afterwards, check attached picture 2, this time showing a session id.

This looks like an exploit of a vulnerability. We have not find any information regarding this either here or on the internet.

Please advice ASAP.


Thanks,
No tags attached.
zip auditsLogs_screenshot.zip (205,323) 2019-12-20 15:53
http://mantis.testlink.org/file_download.php?file_id=5265&type=bug
Issue History
2019-12-20 15:53filipseNew Issue
2019-12-20 15:53filipseFile Added: auditsLogs_screenshot.zip
2019-12-28 12:05fmanNote Added: 0029347
2019-12-28 12:06fmanAssigned To => fman
2019-12-28 12:06fmanStatusnew => feedback
2020-01-03 19:10filipseNote Added: 0029387
2020-01-03 19:10filipseStatusfeedback => assigned

Notes
(0029347)
fman   
2019-12-28 12:05   
The reset password procedure need to be changed, because right now if you know the login name you can request a password reset.
First suggestion /workaround: remove the account with 'admin' login
(0029387)
filipse   
2020-01-03 19:10   
Hi,

Ok! Thanks for the suggestion. Will do so.

Do you have any estimation when this issue will be fixed?

Thanks,