Humhub insecure password validation and reset design

Posted by A. W. on Dec 15

[+] Humhub insecure password validation and reset design
[+] Discovered by: Jos Wetzels
[+] Affects: Humhub <= 0.10.0-rc.1

Humhub [1] versions 0.10.0-rc.1 and prior suffer from several design
flaws, which have now been resolved in cooperation with the vendor
[2], in the implementation of its password reset and validation
functionality.

1. Insecure password validation

The validatePassword() function located in…

Leave a Reply