Disocvered on Tue, 07 Jun 2011 by Dan Luedtke http://www.danrl.de Abstract ======== Calendar application Dienstplan 2.2 uses predictive passwords in user-creation and password-reset routines. About Dienstplan ================ Dienstplan is a web-based calendar application written in PHP targeting clubs and associations. Registered users may RSVP to sheduled events. See http://www.thomas-gubisch.de/dienstplan.html for further information. Vulnerable Versions =================== Tested on Dienstplan 2.2, others may be vulnerable Predictive Password Generation (1/2) ==================================== When a new account is created, the password is derived from the time()-function, which gives back the current UNIX TIME STAMP. A non-salted md5-hash of UNIX TIME STAMP becomes the initial password and is valid until the users changes the password manually. --[ user_func.php lines 46-49 ]-- // id = 0 -> new user if($id == 0) $id = master_addUser($username, $email, md5(time())); else -- An attacker (roughly) knowing when a user account was created can predict the password. Predictive Password Generation (2/2) ==================================== A user can reset his own password. Unfortunately, everyone having access to the application via browser can trigger this process for every known user (e.g. admin). The application then generates a new password as shown below. The new password is mailed to the user it was generated for. --[ user_func.php line 134 ]-- $password = md5(time()); -- An attacker might predict the password, or a set of possible passwords, by precalculating the md5-hashes of past, current, and future UNIX TIME STAMPs (e.g. +/-10 seconds, depends on server's offset). He may trigger the password reset process and log in with one of the precalculated passwords. Remarks ======= * Author responded in less than 24h. A fix was provided soon after that. * Disclosure has been delayed for 2+ months for users to update their software. regards, danrl -- Dan Luedtke http://www.danrl.de (private) http://www.dlitc.com (company)