hi
just a thought. a user makes a uid on a drupal site, gets a random password (combination of two words of of population of n words, resulting in n^2 possible passwd's)
now all the user has to do is reset his [m/f] passwd often to make up all possible passwords. then he request to reset the password of the uid=1 user and tries to log in with all possible combinations. this shouldnt take more than a couple of minutes, depending script, bandwith, etc. basically he "own3s" the site.
the old 3.x [?] drupal code, used to send a mail for confirmation of the passwd change by letting the users surf to a random created url before sending out the new password. maybe this code should be optionally activated [option in admin section] again?
other options
* maximize the nummber of failed logins (resulting in a possible DoS)
* maximize the number of password resets
* rewrite new passwd resets to True Psuedo Random [tm] generation (optionally, vowel, consonant, vowel,...)
btw: not to sure if security at drupal dot org exists. if not, maybe we should create this, forward it to a select number of people and put up a notice on the drupal site for these kind of security related issues.
as far as my security alert is concerned, it it possible, theoretical or real?
Comments
Comment #1
al CreditAttribution: al commented+1 for security@drupal.org suggestion.
There are some things that shouldn't go public until they've been fixed, and people on bugtraq these days expect a security@ address.
Regarding password confirmation e-mails, this is a good idea for another reason - if the user leaves their machine unattended, another user could come along and change their password (esp. when Drupal's "remember me" cookie option is checked).
Comment #2
al CreditAttribution: al commented> as far as my security alert is concerned, it it possible, theoretical or real?
It's quite real. If Drupal were to only accept e-mail addresses (which are publicly hidden) then this would be a lot more difficult to accomplish. As it is, it's not terribly hard to work out who the admin user for many sites is.
It might be a good idea to include a check for the password reset function to make sure it doesn't work for the admin UID=1 user.
If the site admin loses their password, they're a muppet. What's more, they can manually reset it anyway.
Comment #3
marco CreditAttribution: marco commentedI'm +1 for the confirmation email for another reason too. It happens that new users DON'T understand that a username is already taken, and request a new password, so the real user receives the new password and, what's worse, emails me to ask why I keep on changing his password
Seriously, with popular sites this happens frequently, especially with common names.
Comment #4
Kobus CreditAttribution: Kobus commentedI'm +1 for the confirmation email for another reason too. It happens that new users DON'T understand that a username is already taken, and request a new password, so the real user receives the new password and, what's worse, emails me to ask why I keep on changing his password
If you ask me, if this is the case, then there might be a problem in how Drupal present the information to clueless users. I believe many of these type of problems can be taken care of by the site owner, however, some are left for Drupal.
Comment #5
tbecker CreditAttribution: tbecker commentedWould it make sense to modify the new-password system such that when this happens, instead of changing the password immediately and sending a new one out, Drupal:
Comment #6
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI like your proposal. Are you going to send a patch?
Comment #7
moshe weitzman CreditAttribution: moshe weitzman commentedComment #8
moshe weitzman CreditAttribution: moshe weitzman commentedComment #9
(not verified) CreditAttribution: commentedAutomatically closed due to inactivity (marked fixed for 14 days).