Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-79

Ounce Labs Security Finding: Authentication - Change Password

    XMLWordPrintableJSON

Details

    Description

      Description:
      The change password process does not require the user to enter his original password. If an attacker has hijacked the victims session or the victim has left his machine unlocked and an attacker has access to his machine with a valid JSPWiki session up, an attacker can change the victims password.

      Recommendation:
      Consider forcing the user to re-enter their original passwords to prevent attackers who have compromised the users session to also change his password and 1. gain unbound account access and 2. DOS the victim.

      Related Code Locations:
      18 findings:
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 341 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 339 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 339 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 201 / 0
      Context: user . java.security.Principal.getName ()
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 341 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 355 / 0
      Context: context . com.ecyrd.jspwiki.WikiContext.getWikiSession() . com.ecyrd.jspwiki.WikiSession.getLoginPrincipal() . java.security.Principal.getName ()
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 188 / 0
      Context: user . java.security.Principal.getName ()
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 339 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 341 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
      -----------------------------------
      Name: JSPWiki_2_4_104.UserPreferences_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\UserPreferences.jsp
      Line / Col: 28 / 0
      Context: "saveProfile" . java.lang.String.equals ( request . javax.servlet.ServletRequest.getParameter("action") )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 342 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 339 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
      -----------------------------------
      Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
      Type: Vulnerability.Authentication
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
      Line / Col: 341 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
      -----------------------------------

      Attachments

        1. report.pdf
          33 kB
          Cristian Borlovan

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. JSPWIKI-45 Password change process should require old password

          • Major - Major loss of function.
          • Closed

          Activity

            People

              juanpablo Juan Pablo Santos Rodríguez
              cristian.borlovan@ouncelabs.com Cristian Borlovan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: