CVE-2012-5618

An attacker who knows a target user's email address and can estimate or obtain their `last_login` timestamp can compute the old token value, because the old code used `hash_password($user->email . $user->last_login)` with no secret salt [ref_id=1][ref_id=2]. The attacker triggers a password reset request for that user, then guesses the token offline using the known inputs. If successful, the attacker can supply the guessed token to the reset endpoint and set a new password, gaining full account access. No authentication is required to initiate the reset flow.

The vulnerability existed in `application/controllers/login.php` where the forgot-password token was generated by `$auth->hash_password($user->email.$user->last_login)` [ref_id=2]. The fix introduces a new `_forgot_password_token()` method in `application/models/user.php` that uses `hash_hmac('sha1', ...)` with a random salt and a site-specific secret key [patch_id=2243832]. A new initialization block in `application/hooks/2_settings.php` generates a 64-character `forgot_password_secret` if one is not already set [patch_id=2243832].

The patch replaces the deterministic `hash_password($email.$last_login)` token with an HMAC-SHA1 of `last_login` and `email`, keyed by a concatenation of a 32-character random salt and a site-wide `forgot_password_secret` [patch_id=2243832]. The secret key is auto-generated on first run from a 64-character pool, ensuring an attacker without the secret cannot compute valid tokens even if they know the email and last_login [patch_id=2243832]. The new `check_forgot_password_token()` method extracts the salt from the token and recomputes the HMAC for verification, while the old `hash_password`-based comparison is removed [patch_id=2243832].