|Anonymous | Login | Signup for a new account||2020-01-21 14:39 UTC|
|Main | My View | View Issues | Change Log | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008827||TestLink||Security - General||public||2019-12-20 15:53||2020-01-03 19:10|
|Priority||urgent||Severity||major||Reproducibility||have not tried|
|Product Version||1.9.19.01 (1.9.19 fixes)|
|Fixed in Version|
|Summary||0008827: Admin password was reset by intruder|
Dear Testlink support,
Out of the blue we got an email stating that admin password was reset.
We confirm that with the admin user:
1 - We could not login with the old password
2 - We could login with the new password as received at the email
We proceed to disconnect the machine from network access and verify the logs.
At the audit logs and at the same time of the received email we found out that the reset was request by someone without a session - check attached picture 1.
Consequently we also saw on the audits log the successful login done by us afterwards, check attached picture 2, this time showing a session id.
This looks like an exploit of a vulnerability. We have not find any information regarding this either here or on the internet.
Please advice ASAP.
|Tags||No tags attached.|
|Database (MySQL,Postgres,etc)||MySQL 5.7.24|
|QA Team - Task Workflow Status|
|Attached Files||auditsLogs_screenshot.zip [^] (205,323 bytes) 2019-12-20 15:53|
The reset password procedure need to be changed, because right now if you know the login name you can request a password reset.
First suggestion /workaround: remove the account with 'admin' login
Ok! Thanks for the suggestion. Will do so.
Do you have any estimation when this issue will be fixed?
|2019-12-20 15:53||filipse||New Issue|
|2019-12-20 15:53||filipse||File Added: auditsLogs_screenshot.zip|
|2019-12-28 12:05||fman||Note Added: 0029347|
|2019-12-28 12:06||fman||Assigned To||=> fman|
|2019-12-28 12:06||fman||Status||new => feedback|
|2020-01-03 19:10||filipse||Note Added: 0029387|
|2020-01-03 19:10||filipse||Status||feedback => assigned|
|Copyright © 2000 - 2020 MantisBT Team|