Level 75
I don't know where to begin?
Only the database manager (developer) can do such a thing. A general user won't have access to this.
So the question, why?
Jan 26, 2024
3
Level 1
Bug? Copy user password hash to another user in a fresh laravel application
Hi Laravel community,
I am wondering why it is possible to copy a user's password hash and then replace it with someone else's. I did a fresh install of Laravel 10.42.0 for testing purposes and did not make any changes to the default settings. The driver in the "hashing.php" is set to "bcrypt", and as far as I can see everything is configured correctly. I always thought that "user-salting" would prevent the password hash from being copied and assigned to another user. Have I possibly misunderstood something here?
Level 122
no, there is no salt on the password. But in the scenario you describe, the attacker can just provide a known password, hash it and use that. Copying someone elses password is of no use unless you know their plaintext password also.
Level 80
@etvansego What are you even trying to accomplish here?
Yes, you could copy the hash from one user row and set it as the password field for another user, and then log in if you know the plaintext password for that hash. But why on earth would you be doing this?
Please or to participate in this conversation.