•  
      request #7730 Insufficient entropy for session ID and password reset token
    Infos
    #7730
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-01-02 16:46
    7732
    Details
    Insufficient entropy for session ID and password reset token

    Tuleap does not use enough entropy for creating the session ID (session_hash) of an user or the password reset token (confirm_hash) send by email.

    Impact

    An attacker could guess a session ID or a password reset token and so accessing to the account of an user logged in or change an account password.

    CVSSv2 score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

    References

    https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/argyros
    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Entropy
    https://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html

    Authentication & LDAP
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-01-09
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Merged in Tuleap 7.9.99.x

    • Status changed from Under review to Closed
    • Close date set to 2015-01-09