LDAP Tool Box Self Service Password v1.5.2 - Account takeover

[sk3pp3r]

Is this vulnerability still relevant?

https://www.exploit-db.com/exploits/51275

[davidcoutadeur]

Not sure this security issue is really usable:

1. The victim is receiving an unsolicited, shifty password change mail
2. the attack does not work if you have enabled the captcha
3. and especially: there is already a configuration parameter for setting the URL : you just have to define:

# Reset URL (if behind a reverse proxy)
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];

Maybe the only thing to do here is to insist on the use of $reset_url in the documentation: https://self-service-password.readthedocs.io/en/stable/config_tokens.html#reset-url

[davidcoutadeur]

See also Pull request: https://github.com/ltb-project/self-service-password/pull/824

[coudot]

This is a duplicate of https://github.com/ltb-project/self-service-password/issues/755

I agree with @davidcoutadeur we may only add a warning in the documentation