request #7730 Insufficient entropy for session ID and password reset token

Artifact

Infos

Artifact ID#7730

Submitted byThomas Gerbet (tgerbet)

Last Modified On2015-03-04 16:22

Submitted on2015-01-02 16:46

Rank7732

Details

Summary *

Insufficient entropy for session ID and password reset token

Original Submission

Tuleap does not use enough entropy for creating the session ID (session_hash) of an user or the password reset token (confirm_hash) send by email.

Impact

An attacker could guess a session ID or a password reset token and so accessing to the account of an user logged in or change an account password.

CVSSv2 score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

References

https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/argyros
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Entropy
https://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html

CategoryAuthentication & LDAP

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?