Summary
A disabled user can still gain access to a wiki by abusing the password reset function.
Details
While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me reset my password, but after resetting my password I can get into the wiki I was locked out of.
The ramifications of this bug is a user can bypass an account disabling by requesting their password be reset..
PoC
- Run WikiJs
2.5.303
- Run Postgresql DB
- Setup your wiki
- Setup SMTP connection / email support
- Create your user
- Create a test user
- Have test user onboard, and log in.
- Deactivate / disable user from main account
- Observe the test user can no longer log in
- Have the test user request a password reset
- Get the password reset email
- Accept the reset, enter any. new password
- New password is accepted! Logs in to WIKI
- I am able to perform any action I was allowed to that I had before
- Once I log out, I cannot log back in
- ... but I can just reset my password again!
Impact
All users of 2.5.303 who use any account restrictions and have disabled user.
urda Reporter
Summary
A disabled user can still gain access to a wiki by abusing the password reset function.
Details
While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me reset my password, but after resetting my password I can get into the wiki I was locked out of.
The ramifications of this bug is a user can bypass an account disabling by requesting their password be reset..
PoC
2.5.303Impact
All users of
2.5.303who use any account restrictions and have disabled user.