gitter-badger ezpublish-modern-legacy forgotpassword.php password recovery

Vulnerability

A vulnerability exists in the password recovery functionality of ezpublish-modern-legacy prior to version 1.0. The file kernel/user/forgotpassword.php generates a hash key for password reset links using md5( $userID . ':' . $time . ':' . mt_rand() ). The use of mt_rand() instead of a cryptographically secure random number generator makes the hash predictable under certain conditions.

Exploitation

Exploitation requires knowledge of the user's ID and the timestamp, and the ability to brute-force or predict the output of mt_rand(). The attack complexity is considered high, and exploitation is difficult [1]. An attacker would need to generate a valid password reset hash and intercept or craft a reset link.

Impact

Successful exploitation could allow an attacker to reset a user's password without authorization, leading to account takeover and potential data breach. The vulnerability is rated as problematic with a CVSS vector not specified, but the weakness in password recovery is a significant concern for user account security.

Mitigation

The issue is fixed in version 1.0 of ezpublish-modern-legacy [2], which includes the commit 5908d5ee65fec61ce0e321d586530461a210bf2a that replaces mt_rand() with openssl_random_pseudo_bytes() when available, falling back to mt_rand() otherwise [1]. Users are recommended to upgrade to version 1.0 or apply the patch. No workaround is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.