Description of problem: Reviewing https://fedorahosted.org/spacewalk/wiki/Features/ResetPassword and commitID's listed. The main feedback I have is maybe a better salt for the hash being used ... in theory if someone knew the userid and time frame, with a default 48 hour window - they'd have more than plenty of time to try and brute force attack the reset URLs. It would be reasonable for anyone to assume there is an 'admin' or 'satadmin' account to attack. Submit the form, know the user and time, assume re-try counter of 0 or 1 (or a small integer value) and then quickly attach the urls before the real satadmin reads their email in the morning (so to speak). So, after confirming with Grant code here: https://github.com/spacewalkproject/spacewalk/commit/e18542b50a95cf4c4b085a2f158645c46287e6e9#diff-3f1a494d9634e4a72568bd162a8ad754R89 counter + user-id + currentTimeMillis And nearly everyone creates (and keeps) admin accounts with the first uid counter :) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Spacewalk 2.8 (and older) has already reached it's End Of Life. Thank you for reporting this issue and we are sorry that we were not able to fix it before end of life. If you would still like to see this bug fixed and are able to reproduce it against current version of Spacewalk 2.9, you are encouraged change the 'version' and re-open it.