Broken Authentication – Session Token bug

[bohdan-shulha]

Reported by Kunal Mhaske [email protected]

Posting it publicly as (today) chances to exploit this vulnerability is extremely low.

Vulnerability Name: Broken Authentication – Session Token bug

Target URL: https://ctl.ptah.sh/

Vulnerable URL: https://ctl.ptah.sh/reset-password/tokentoken?email=kunalmhaske555%40gmail.com

I found a broken authentication vuln

POC:

1- Create an https://ctl.ptah.sh/
2- Confirm your email
3- Now request a password reset.
4- Don’t use the password reset link that was sent to your email.
5- Login to your account, remember don’t use the reset password link you requested in 3 step
6- Change your password in the Account Settings(URL: https://ctl.ptah.sh/user/profile)
7. After you change your password inside your account, Check the reset password link you requested in Step 3 in your email.
8. Change your password using the reset password token you requested.

Impact
token should expire
If the site has a token issue, The result is the reset password token in Step 3 is still usable and has not expired yet. Not invalidating the session token for the reset password is not a good practice for a company.