Last Update: 2017-10-03 09:53:04 -0700

Security Fix

  • The password reset key deadline was previously ignored when checking for a password reset key. This allowed expired keys to be used. This problem exists in all previous versions.

    The root cause of this issue is that support for deadline checking was not previously implemented. In previous versions, the deadline was only used to remove old keys when creating a new key.

    Rodauth only allows a single password reset key per account, and deletes password reset keys when passwords are reset. So if the user had subsequently generated a different password reset key, or had already used the password reset key to reset the password, then they would not be vulnerable. The most likely situation where there exists a vulnerability due to this issue is:

    • A user requests a password reset.

    • They do not reset their password or request another password reset.

    • The password reset key deadline expires.

    • An attacker gets access to their archived email containing the password reset link, which they use to reset the password for the account.

    Reporting Details:

    • Initially reported on 10/3/2017

    • Fixed in repository on 10/3/2017

    • Version 1.12.0 released with fix on 10/3/2017

    Thanks to Chris Hanks for discovering and reporting this issue and supplying an initial fix.

New Features