Advisories for Composer/Cartalyst/Sentry package

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stored in the database default to having NULL in the reset_password_code column. Exploiting this flaw could allow unauthorized manipulation of any OpenCFP user's password, particularly those without an unused password reset …

Null reset codes are allowed through sentry.

There's a flaw in the DB schema where reset_password_code is NULL by default. If an attacker is able to provide a NULL reset code to the package, there are no guards against arbitrary anonymous password resets. In many cases, submitting a url-encoded null byte value (%00) will match what's in the database, passing the check and allowing the attacker to set the password to what they wish.