Vendor: Center for Computational Research, University at Buffalo
Product: Open XDMoD
Affected versions: < 8.0
Open XDMoD is an open source tool to facilitate the management of high performance computing resources. It is widely deployed at academic, industrial, and government HPC centres. The web interface is written in PHP. The vulnerabilities discussed in this report have been discovered in version 7.5, and will be addressed in the upcoming 8.0 release.
Essentially, password reset tokens are generated using the following algorithm:
MD5(CONCAT(username, password_last_updated))
When validating a token, the application makes the following SQL query:
SELECT id, first_name FROM Users WHERE MD5(CONCAT(username, password_last_updated)) = reset_token
If at least one row is returned, the first match is taken. There is no check to ensure that a token is expected (i.e. that a token has been issued by the application). Additionally, tokens are easily forged. It is possible for an attacker to limit the token search space by prompting a user to change their password. A ten minute window results in just 600 possible tokens, as the "password_last_updated" value is stored in a MySQL timestamp column which is truncated to whole seconds. It may be very easy to attack the admin account if the system install time is known and the admin password has not been changed since that time.
The vendor has patched the vulnerability in a subsequent release.
See also CVE-2018-16961, CVE-2018-16960.