Admin Password Reset Malfunction Print
Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHP-Fusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their password reset using the Admin Password Reset page.
Affected PHP-Fusion versions: All PHP-Fusion v7.02.xx.
Details of the malfunction:
The malfunction was caused by improper implementation of the PasswordAuth class (/includes/classes/PasswordAuth.class.php) which handles login and admin passwords for all users in PHP-Fusion. The malfunction resulted in 1 out of 10 reset admins would have an empty login password which enabled the hacker to access the account using a random password of his or hers choosing.
Until PHP-Fusion v7.02.03 is release we discourage all use of the Admin Password Reset page. It is however not possible to exploit this problem without first using the Admin Password Reset. If you have used this we encourage you to change your passwords manually.
More information will continuously be available on the Development Site as well as patched files. In the mean time you can send your questions directly to Hans Kristian Flaatten, Development Team Leader.
Posted on May 30 2011 under Security