High severity7.5NVD Advisory· Published Jan 25, 2017· Updated May 13, 2026
CVE-2017-5594
CVE-2017-5594
Description
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pagekit/pagekitPackagist | < 1.0.11 | 1.0.11 |
Affected products
1Patches
1e0454f9c037cMerge branch 'release/1.0.11'
5 files changed · +29 −14
app/system/config.php+1 −1 modified@@ -4,7 +4,7 @@ 'application' => [ - 'version' => '1.0.10' + 'version' => '1.0.11' ],
app/system/modules/settings/app/components/system.vue+1 −0 modified@@ -34,6 +34,7 @@ <label><input type="checkbox" value="1" v-model="$root.config.debug.enabled" :disabled="!sqlite"> {{ 'Enable debug toolbar' | trans }}</label> </p> <p class="uk-form-help-block" v-if="!sqlite">{{ 'Please enable the SQLite database extension.' | trans }}</p> + <p class="uk-form-help-block" v-if="$root.config.application.debug || $root.config.debug.enabled">{{ 'Please note that enabling debug mode or toolbar has serious security implications.' | trans }}</p> </div> </div>
app/system/modules/user/src/Controller/ResetPasswordController.php+21 −12 modified@@ -25,7 +25,7 @@ public function indexAction() } /** - * @Request({"email": "string"}) + * @Request({"email"}) */ public function requestAction($email) { @@ -51,9 +51,8 @@ public function requestAction($email) throw new Exception(__('Your account has not been activated or is blocked.')); } - $user->activation = App::get('auth.random')->generateString(32); - - $url = App::url('@user/resetpassword/confirm', ['user' => $user->username, 'key' => $user->activation], 0); + $key = App::get('auth.random')->generateString(32); + $url = App::url('@user/resetpassword/confirm', compact('key'), 0); try { @@ -67,6 +66,7 @@ public function requestAction($email) throw new Exception(__('Unable to send confirmation link.')); } + $user->activation = $key; $user->save(); App::message()->success(__('Check your email for the confirmation link.')); @@ -85,15 +85,26 @@ public function requestAction($email) } /** - * @Request({"user", "key"}) + * @Request({"key", "password"}) */ - public function confirmAction($username = "", $activation = "") + public function confirmAction($activation = '', $password = '') { - if (empty($username) || empty($activation) || !$user = User::where(compact('username', 'activation'))->first()) { + if ($activation and $user = User::where(compact('activation'))->first()) { + + App::session()->set('activation', [ + 'key' => $activation, + 'user' => $user->id, + ]); + + $user->activation = null; + $user->save(); + } + + if (!$data = App::session()->get('activation') or $data['key'] != $activation) { App::abort(400, __('Invalid key.')); } - if ($user->isBlocked()) { + if (!$user = User::find($data['user']) or $user->isBlocked()) { App::abort(400, __('Your account has not been activated or is blocked.')); } @@ -105,8 +116,6 @@ public function confirmAction($username = "", $activation = "") throw new Exception(__('Invalid token. Please try again.')); } - $password = App::request()->request->get('password'); - if (empty($password)) { throw new Exception(__('Enter password.')); } @@ -115,10 +124,11 @@ public function confirmAction($username = "", $activation = "") throw new Exception(__('Invalid password.')); } - $user->password = App::get('auth.password')->hash($password); $user->activation = null; + $user->password = App::get('auth.password')->hash($password); $user->save(); + App::session()->remove('activation'); App::message()->success(__('Your password has been reset.')); return App::redirect('@user/login'); @@ -133,7 +143,6 @@ public function confirmAction($username = "", $activation = "") 'title' => __('Reset Confirm'), 'name' => 'system/user/reset-confirm.php' ], - 'username' => $username, 'activation' => $activation, 'error' => isset($error) ? $error : '' ];
app/system/modules/user/views/reset-confirm.php+1 −1 modified@@ -1,6 +1,6 @@ <?php $view->script('uikit-form-password') ?> -<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['user' => $username, 'key' => $activation]) ?>" method="post"> +<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['key' => $activation]) ?>" method="post"> <?php if($error): ?> <div class="uk-alert uk-alert-danger">
CHANGELOG.md+5 −0 modified@@ -1,5 +1,10 @@ # Changelog +## 1.0.11 (January 20, 2017) + +### Security +- Fixed replay attack with password reset links when debug toolbar is enabled, discovered by SecureLayer7 + ## 1.0.10 (December 22, 2016) ### Fixed
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268bnvdPatchWEB
- securelayer7.net/download/poc/password-reset-vulnerability-exploit-ruby-pagekit-cms.rb.txtnvdExploitThird Party AdvisoryWEB
- www.exploit-db.com/exploits/41143/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/95806nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-rp89-32rp-qpq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5594ghsaADVISORY
- securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdfnvdTechnical DescriptionThird Party AdvisoryWEB
- www.exploit-db.com/exploits/41143ghsaWEB
News mentions
0No linked articles in our index yet.