lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2019-05-15T11:48:39Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1744[Security: low] register_token used for account creation can be used as a val...2019-05-15T11:48:39ZClément OUDOT[Security: low] register_token used for account creation can be used as a valid session identifier### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1567[Security: low] Captcha session id is too weak2019-05-12T16:27:41ZClément OUDOT[Security: low] Captcha session id is too weakTo build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The re...To build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The recommandation is to have a captcha session id that has no link with the captcha code.
Seems the issue is for 1.9 and 2.0 versions.1.9.19Clément OUDOTClément OUDOT