tschloesser Super Contributor.
Super Contributor.
489 views

Password reset token is not deletet after use


Hi,

we found that the token generated for the password self reset service is
not automatically removed after use. This can be tested by following the
link provided in the email containing the token more than one time.

This is a security problem since as long as the token is valid (i.e. one
hour) a second person able to capture the mail or the url can change the
password again and than use the account.

Is this a bug or the (only) way sspr is working?

Thanks,

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=54035

0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Password reset token is not deletet after use

Just to be sure about what "use" means, I presume this means the password
is actually changed after using the token. In my pedantic mind, "use"
means following the link, and doing that multiple times does not seem like
as big of a problem as long as the password has not yet been reset (to
account for network issues where the first attempt failed), but maybe that
is too lax of a view. Once the password is reset, of course the previous
link should not work.

Is that clear? Am I safe in assuming the link was used a second time
AFTER the password was reset?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
tschloesser Super Contributor.
Super Contributor.

Re: Password reset token is not deletet after use


Hi,

yes you are right. The link was used to change the password. After the
change the user clicked the link again and was able to set a new
password.

Thanks,

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=54035

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Password reset token is not deletet after use

I am guessing you are using a version before 3.3. I have tested this with
3.3 and the e-mail sent does not have a URL, but only has big long
base64-encoded block as the token. I tried using one token, changing the
password when using it, and then tried using it again, and the token was
rejected the second time (maybe two minutes later).

Is upgrading to 3.3 an option? I could try to quickly test 3.2 or
earlier, but with it fixed in 3.3 that is probably a good way to go if you
are able.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
tschloesser Super Contributor.
Super Contributor.

Re: Password reset token is not deletet after use


Thanks!

Due to my vacation I was not aware of the new version.

Shure this is an option - and it fixes a couple of other errors.

The update went fine and so far I found no more issues with the current
configuration - But we will see what the future brings up 😉

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=54035

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Password reset token is not deletet after use

Great feedback! Thank-you for sharing your results.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.