CVE-2020-7245
📋 TL;DR
This vulnerability allows attackers to hijack any user account in CTFd by registering with the victim's username padded with whitespace. When password reset is triggered for the malicious account, the system resets the victim's password instead. All CTFd instances running versions 2.0.0 through 2.2.2 with email functionality enabled are affected.
💻 Affected Systems
- CTFd
📦 What is this software?
Ctfd by Ctfd
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of any user account including administrators, leading to data theft, competition manipulation, and full system takeover.
Likely Case
Targeted account takeover of specific users, potentially compromising competition integrity and sensitive user data.
If Mitigated
No impact if patched or email functionality disabled; limited to denial of service if password resets are monitored.
🎯 Exploit Status
Exploit requires only registration access and knowledge of target username. No authentication needed for initial registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.2.3
Vendor Advisory: https://github.com/CTFd/CTFd/releases/tag/2.2.3
Restart Required: Yes
Instructions:
1. Backup current CTFd instance and database. 2. Download CTFd v2.2.3 from GitHub releases. 3. Replace existing installation with patched version. 4. Restart CTFd service. 5. Verify functionality.
🔧 Temporary Workarounds
Disable Email Functionality
allTemporarily disable email/password reset functionality to prevent exploitation while patching.
Edit CTFd configuration to disable MAIL_SERVER settings or set MAIL_ENABLED=false
Implement Registration Restrictions
allAdd web application firewall rules to block registration attempts with whitespace in usernames.
WAF specific - configure rules to reject registration POST requests containing whitespace in username parameter
🧯 If You Can't Patch
- Disable user registration completely and manage accounts manually
- Implement external authentication (OAuth/SAML) bypassing vulnerable registration flow
🔍 How to Verify
Check if Vulnerable:
Attempt to register account with username containing leading/trailing whitespace. If successful, system is vulnerable.Check Version:
Check CTFd admin panel or inspect package version: pip show CTFd | grep VersionVerify Fix Applied:
Attempt same registration test - should fail with validation error. Check CTFd version is 2.2.3 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple registration attempts with similar usernames
- Password reset requests for recently registered accounts
- User complaints about password reset emails they didn't request
Network Indicators:
- POST requests to /register with whitespace in username parameter
- Rapid succession of registration then password reset requests
SIEM Query:
source="ctfd.log" ("register" AND "username" AND ("%20" OR "\t")) OR ("password_reset" AND "success" WITHIN 5m OF "register")