CRITICAL Security Exploit

Theme support is offered to verified customers by forum only. Support requests and solutions made by email, Skype, Envato or any other method will be redirected back to the forum.

This topic is: resolved
  • Resolved
    Posted in: Arcane  

  • Member
    axepex
    December 14, 2018 at 8:29 pm #116931

    It has been brought to my attention by one of my QA testers that there is a MAJOR security exploit in the forgot password process.

    I had a test user (gamer role) figure out how to modify a URL and the $_GET method of the script to reset ANY USERS PASSWORD at any time… then access their account (administrator level) and then do whatever they wanted.

    They found this by resetting their password; They realized then that the URL in the activation email had their username at the end of the URL request string (?name=’blank’).

    Basically, replace the end of this URL with anyones username to instantly change their password without any key or token required. Any user name…

    https://play.armedvr.com/lost-password/?action=rp&key=gobUHKcYSK6Jr7dwOiFf&login=Tester3
    https://play.armedvr.com/lost-password/?action=rp&login=Tester3

    The &key=gobUHKcYSK6Jr7dwOiFf aspect of this script plays absolutely no role in the activation process. This is all out of the box, no modifications to any code. What’s going on with this? This is such a problem to me, I’m afraid to see what else might allow exploits in this system.

    Sorry, this forum is for verified users only. Please Login or Register to continue

Comments are closed.