Uploaded image for project: 'Change Request Application'
  1. Change Request Application
  2. CRAPP-302

Change requests of users permit accessing the password hash

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. Install change request.
      2. Login as a regular (non-admin) user or as guest if change request is enabled for guests
      3. Enable viewing hidden pages in your user profile or via the shortcut
      4. Go to the profile of an admin user
      5. Click on "Edit" and then "Save as Change Request"
      6. Give the change request a title, you can also mark it as draft to prevent listing in review queues. Click "Save".
      7. In the top navigation bar, click on the last triangle to open the menu of child pages and click on the page representing the admin user you just changed
      8. Download the XML attachment in the attachments tab

      Expected result:

      There is an error at some point or at least the resulting XML doesn't contain the password hash.

      Actual result:

      The XML file contains the password hash of the admin user, allowing efficient offline attacks against the password.

      The affects version is just the tested version. This might affect all versions of change request.

      Attachments

        1. image-2023-08-07-11-18-36-649.png
          79 kB
          Michael Hamann
        2. image-2023-08-07-11-20-54-833.png
          54 kB
          Michael Hamann
        3. image-2023-08-07-11-21-15-871.png
          39 kB
          Michael Hamann

        Activity

          People

            surli Simon Urli
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: