[drupal-devel] [feature] Don't reset existing password on request, prevent DoS password reset abuse

brlcad drupal-devel at drupal.org
Mon Feb 7 02:48:19 UTC 2005 

 Project:      Drupal
 Version:      4.5.2
 Component:    user system
 Category:     feature requests
 Priority:     critical
 Assigned to:  Anonymous
 Reported by:  brlcad
 Updated by:   brlcad
 Status:       patch
 Attachment:   http://drupal.org/files/issues/pass_alt2.diff (6.81 KB)

Ooops.. posted the wrong diff file.  It's missing 4 lines from
user_save() that md5's the pass_alt:
      else if ($key == 'pass_alt') {
        $query .= "$key = '%s', ";
        $v[] = md5($value);
      }
Attachment includes the update.  
Agree with drumm that not sending the password altogether would be
desireable.  Regardless, the main point (and primary vulnerability) is
to not reset the existing password until you are sure who is making
that request.


brlcad



Previous comments:
------------------------------------------------------------------------

February 6, 2005 - 20:54 : brlcad

Attachment: http://drupal.org/files/issues/pass_alt.diff (6.12 KB)

This patch adds a field to the user table for storing an alternate
password.  When a password request is made, the alternate password is
set instead of clobbering the existing password.  This allows the user
to discard the regenerated password e-mail, preserving the existing
password.  
This also prevents abuse whereby any anonymous user can repeatedly
reset user passwords potentially entirely blocking access to a site,
e.g. a curl shell script that repeatedly posts a password reset request
for all accounts. 
Iff the alternate password is used for authentication, the alternate
password becomes the main password.  If the main password is set (e.g.
admin user form), the alternate password is unset.
The patch was made against DRUPAL-4-5-2.
Cheers!
Sean


------------------------------------------------------------------------

February 6, 2005 - 21:08 : drumm

IMO the fix to this issue should remove sending the password
alltogether. Instead store a unique hash code and then send a URL with
that code which presents a page for entering the new password twice.
The same hash code system could be used for activating new accounts
without sending a password in email.


-- 
View: http://drupal.org/node/16909
Edit: http://drupal.org/project/comments/add/16909

More information about the drupal-devel mailing list