GMS-2016-65: Arbitrary password resets via NULL reset codes

September 5, 2016

There’s a flaw in the DB schema where reset_password_code is NULL by default. If an attacker is able to provide a NULL reset code to the package, there are no guards against arbitrary anonymous password resets. In many cases, submitting a url-encoded null byte value (%00) will match what’s in the database, passing the check and allowing the attacker to set the password to what they wish.

References

haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other
github.com/cartalyst/sentry/pull/545

Code Behaviors & Features

Detect and mitigate GMS-2016-65 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →