CVE-2022-30935 - Critical Authorization Bypass Vulnerability in b2evolution Password Reset Mechanism

A critical vulnerability has been discovered in the popular content management system (CMS) b2evolution, allowing remote, unauthenticated attackers to bypass the authorization process and predict password reset tokens for any user. This flaw enables the attacker to obtain valid user sessions and even reset their passwords without their consent. The vulnerability, identified as CVE-2022-30935, has been tested and confirmed in b2evolution version 7.2.3. However, it may also affect earlier versions and potentially earlier major versions.

Exploit Details

The authorization bypass vulnerability stems from the bad randomness function used in generating password reset tokens. Specifically, the generate_random_key() function, which is responsible for generating tokens during the password reset process, lacks sufficient entropy or randomness. This weakness makes it possible for remote attackers to predict the reset tokens and gain unauthorized access to user accounts.

Here's a code snippet illustrating the vulnerable function in b2evolution

function generate_random_key( $len = 32 )
{
  $key = '';
  $base = 'ABCDEFGHKLMNOPQRSTWXYZabcdefghjkmnopqrstwxyz123456789';
  $max = strlen( $base ) - 1;

  for( $i = ; $i < $len; $i++ )
  {
    $key .= $base{ mt_rand( , $max ) };
  }

  return $key;
}

It is important to understand that the mt_rand() function does not create cryptographically secure random numbers, making the generated password reset tokens easily predictable by a determined attacker.

Send a specially crafted password reset request on behalf of the target user.

3. Analyze the resulting password reset token using the known weaknesses in the randomness function to predict subsequent tokens.

References

- CVE-2022-30935: The official CVE entry for the vulnerability.
- b2evolution Security Advisory: The official security advisory from b2evolution containing information about the vulnerability and patches.
- NVD - CVE-2022-30935: The National Vulnerability Database's entry for CVE-2022-30935.

Recommendations

Website administrators who use b2evolution are strongly urged to update their CMS installation to the latest version as soon as possible. Users who are maintaining a non-default installation of b2evolution should still review their update options, as the vulnerable function could be exposed in other aspects of the software. Additionally, it is essential to keep track of security advisories in the b2evolution community and to follow recommended best practices to safeguard against potential threats.

By staying informed and taking immediate action to update affected installations, b2evolution users can protect their websites and users from unauthorized access and exploitation caused by this critical vulnerability.

Timeline

Published on: 09/28/2022 11:15:00 UTC
Last modified on: 09/30/2022 13:35:00 UTC