Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #7730 Insufficient entropy for session ID and password reset token
    Actions
    Infos
    #7730
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-01-02 16:46
    7731
    Details
    Insufficient entropy for session ID and password reset token

    Tuleap does not use enough entropy for creating the session ID (session_hash) of an user or the password reset token (confirm_hash) send by email.

    Impact

    An attacker could guess a session ID or a password reset token and so accessing to the account of an user logged in or change an account password.

    CVSSv2 score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

    References

    https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/argyros
    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Entropy
    https://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html

    Authentication & LDAP
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-01-09
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referencing request #7730

    Artifact Tracker v5

    rel #7520 7.10

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/30/3430/2' of ssh://gerrit.tuleap.net:29418/tuleap into stable 1e6fbbb9d5
    User avatar Nicolas Terray (nterray) , 2015-01-09 09:52
    request #7730: Add entropy into the session ID and the password reset token bd417103ab
    User avatar Thomas Gerbet (tgerbet) , 2015-01-05 10:49
    request #7730: Add entropy into the session ID and the password reset token df0653638a
    User avatar Thomas Gerbet (tgerbet) , 2015-01-19 16:35

    tuleap/u/vaceletm/tuleap/dev

    Merge commit 'refs/changes/30/3430/2' of ssh://gerrit.tuleap.net:29418/tuleap into stable 1e6fbbb9d5
    User avatar Nicolas Terray (nterray) , 2015-01-09 09:52
    request #7730: Add entropy into the session ID and the password reset token bd417103ab
    User avatar Thomas Gerbet (tgerbet) , 2015-01-05 10:49
    request #7730: Add entropy into the session ID and the password reset token df0653638a
    User avatar Thomas Gerbet (tgerbet) , 2015-01-19 16:35

    Release

    release #100
    Display settings

    Follow-ups

    User avatar
    Yannis ROSSETTO (rossettoy)2015-01-09 15:41
    Merged in Tuleap 7.9.99.x
    • Status changed from Under review to Closed
    • Close date set to 2015-01-09