Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHPFusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their password reset using the Admin Password Reset page.
Affected PHPFusion versions: All PHPFusion v7.02.xx.
Details of the malfunction:
The malfunction was caused by improper implementation of the PasswordAuth class (/includes/classes/PasswordAuth.class.php) which handles login and admin passwords for all users in PHPFusion. The malfunction resulted in 1 out of 10 reset admins would have an empty login password which enabled the hacker to access the account using a random password of his or hers choosing.
Our recommandation:
Until PHPFusion v7.02.03 is release we discourage all use of the Admin Password Reset page. It is however not possible to exploit this problem without first using the Admin Password Reset. If you have used this we encourage you to change your passwords manually.
More information will continuously be available on the Development Site as well as patched files. In the mean time you can send your questions directly to Hans Kristian Flaatten, Development Team Leader.
