FS#65325 - password change is allowed without knowing current password
Attached to Project:
AUR web interface
Opened by gentoo_eshoes (gentoo_eshoes) - Thursday, 30 January 2020, 02:08 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 21 February 2020, 07:43 GMT
Opened by gentoo_eshoes (gentoo_eshoes) - Thursday, 30 January 2020, 02:08 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 21 February 2020, 07:43 GMT
|
Details
In the "My Account" section eg.
https://aur.archlinux.org/account/gentoo_eshoes/edit/
there are only two fields(among the others) for password setting: Password: Re-type password: if left blank, current password isn't changed, which is normal. But without a field to enter the current password, a new password can be set here. This means that anyone who's got my login cookie(somehow) can set a new password, without knowing the current one, and who knows what else they can set(a new email address, a new SSH Public Key - didn't test how these work at the moment, maybe access to old email address is still required?) |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Friday, 21 February 2020, 07:43 GMT
Reason for closing: Fixed
Friday, 21 February 2020, 07:43 GMT
Reason for closing: Fixed
There is a slight typo: "passport" in the text:
"If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again."
https://git.archlinux.org/aurweb.git/commit/?h=live&id=23fbc3db99b73261c0fb96b07ee2044d46492db6
Reported Version(for this issue) is 4.7.0 but I somehow remember it was correctly set to 4.8.0, though I might remember wrongly. If someone could set it correctly I'd appreciate it. Thanks.
Thank you for your work.