Chamilo LMS Password Reset Mechanism Vulnerability Allowing Account Takeover

A vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, where the password reset mechanism is flawed. It generates tokens by hashing the user's email with SHA-1, lacking a random element, expiration, and rate limiting. This allows an attacker to calculate the reset token and change the password of a user without authentication. The issue is exacerbated by the predictability of user IDs, which are sequential and can be easily guessed.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeover.

Reproduction

To reproduce this vulnerability, request a password reset for a user account. The reset token will be generated using SHA-1 hashing of the user's email, without any randomization or expiration. This token can then be used to reset the password without authentication. Additionally, if the 'user_reset_password' setting is false, the vulnerable reset mechanism will be active by default.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been fixed.