Bug 1268110 - Better Salt for Forgotten/Reset Password page for URL generated
Better Salt for Forgotten/Reset Password page for URL generated
Status: NEW
Product: Spacewalk
Classification: Community
Component: Server (Show other bugs)
2.3
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Lestach
Red Hat Satellite QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-01 16:57 EDT by Clifford Perry
Modified: 2015-10-02 07:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Clifford Perry 2015-10-01 16:57:55 EDT
Description of problem:
Reviewing https://fedorahosted.org/spacewalk/wiki/Features/ResetPassword and commitID's listed. The main feedback I have is maybe a better salt for the hash being used ... in theory if someone knew the userid and time frame, with a default 48 hour window - they'd have more than plenty of time to try and brute force attack the reset URLs. It would be reasonable for anyone to assume there is an 'admin' or 'satadmin' account to attack. Submit the form, know the user and time, assume re-try counter of 0 or 1 (or a small integer value) and then quickly attach the urls before the real satadmin reads their email in the morning (so to speak). 

So, after confirming with Grant code here:
https://github.com/spacewalkproject/spacewalk/commit/e18542b50a95cf4c4b085a2f158645c46287e6e9#diff-3f1a494d9634e4a72568bd162a8ad754R89


counter + user-id + currentTimeMillis

And nearly everyone creates (and keeps) admin accounts with the first uid counter :)


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.