Homepage

Cryptographic Issues Affecting showdoc/showdoc package, versions <2.9.13

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SHOWDOCSHOWDOC-1933448
  • published1 Dec 2021
  • disclosed1 Dec 2021
  • credithi-unc1e
Report a new vulnerability Found a mistake?

Introduced: 1 Dec 2021

CVE-2021-3990  (opens in a new tab)
CWE-310  (opens in a new tab)

How to fix?

Upgrade showdoc/showdoc to version 2.9.13 or higher.

Overview

showdoc/showdoc is a tool for an IT team to share documents online.

Affected versions of this package are vulnerable to Cryptographic Issues due to using cryptographically weak Pseudo-Random Number Generator (PRNG), logged in by LDAP will lead to a weak-password initialization.

##POC:

                if ($ldap_user == $username) {
                  

                $userInfo = D(&quot;User&quot;)-&gt;isExist($username) ; 
                if(!$userInfo){ 
                    D(&quot;User&quot;)-&gt;register($ldap_user,$ldap_user.time()); //【register with a weak password, such as :  tom/tom1637248826】
                }
                $rs2=ldap_bind($ldap_conn, $dn , $password);//【when the LDAP password is WRONG,no password change will be implemented】
                if ($rs2) {
                   D(&quot;User&quot;)-&gt;updatePwd($userInfo[&#39;uid&#39;], $password);
                   return $this-&gt;checkLogin($username,$password);
                }
            }
        }

  1. If there is a valid LDAP user , let's say named tom, once he activated his account( such as logged with a WRONG password: such tom/123456)

  2. Then, a record will be add to the Database ( by D("User ")->register($ldap_user,$ldap_user.time());), with a password like tom1637248826, but the change of password D("User")->updatePwd($ won't work

  3. Because we all know that the password is like tom.time(), and time() is one kind of pseudo-random number, we could easily use brute force tool (such as Burp Intruder) to got it.

  4. Thus in this situation, an attacker could brute force the password of tom's, until getting the password of tom1637248826

References

CVSS Scores

version 3.1