Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008827TestLinkSecurity - Generalpublic2019-12-20 15:532020-01-03 19:10
Reporterfilipse 
Assigned Tofman 
PriorityurgentSeveritymajorReproducibilityhave not tried
StatusassignedResolutionopen 
PlatformLinuxOSRedHatOS Version7.7
Product Version1.9.19.01 (1.9.19 fixes) 
Fixed in Version 
Summary0008827: Admin password was reset by intruder
Description
Dear Testlink support,

Out of the blue we got an email stating that admin password was reset.

We confirm that with the admin user:
1 - We could not login with the old password
2 - We could login with the new password as received at the email

We proceed to disconnect the machine from network access and verify the logs.

At the audit logs and at the same time of the received email we found out that the reset was request by someone without a session - check attached picture 1.

Consequently we also saw on the audits log the successful login done by us afterwards, check attached picture 2, this time showing a session id.

This looks like an exploit of a vulnerability. We have not find any information regarding this either here or on the internet.

Please advice ASAP.


Thanks,
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL 5.7.24
Browser
PHP Version7.2.10
TestCaseID
QA Team - Task Workflow Status
Attached Fileszip file icon auditsLogs_screenshot.zip [^] (205,323 bytes) 2019-12-20 15:53

- Relationships

-  Notes
(0029347)
fman (administrator)
2019-12-28 12:05

The reset password procedure need to be changed, because right now if you know the login name you can request a password reset.
First suggestion /workaround: remove the account with 'admin' login
(0029387)
filipse (reporter)
2020-01-03 19:10

Hi,

Ok! Thanks for the suggestion. Will do so.

Do you have any estimation when this issue will be fixed?

Thanks,

- Issue History
Date Modified Username Field Change
2019-12-20 15:53 filipse New Issue
2019-12-20 15:53 filipse File Added: auditsLogs_screenshot.zip
2019-12-28 12:05 fman Note Added: 0029347
2019-12-28 12:06 fman Assigned To => fman
2019-12-28 12:06 fman Status new => feedback
2020-01-03 19:10 filipse Note Added: 0029387
2020-01-03 19:10 filipse Status feedback => assigned



Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker