AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#65325 - password change is allowed without knowing current password

Attached to Project: AUR web interface
Opened by gentoo_eshoes (gentoo_eshoes) - Thursday, 30 January 2020, 02:08 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 21 February 2020, 07:43 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

In the "My Account" section eg. https://aur.archlinux.org/account/gentoo_eshoes/edit/
there are only two fields(among the others) for password setting:
Password:
Re-type password:

if left blank, current password isn't changed, which is normal.

But without a field to enter the current password, a new password can be set here.
This means that anyone who's got my login cookie(somehow) can set a new password, without knowing the current one, and who knows what else they can set(a new email address, a new SSH Public Key - didn't test how these work at the moment, maybe access to old email address is still required?)

This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Friday, 21 February 2020, 07:43 GMT
Reason for closing:  Fixed
Comment by Lukas Fleischer (lfleischer) - Thursday, 30 January 2020, 09:34 GMT
  • Field changed: Visibility (Private → Public)
Fixed in daee20c (Require current password when setting a new one, 2020-01-30).
Comment by gentoo_eshoes (gentoo_eshoes) - Thursday, 30 January 2020, 12:37 GMT
Thank for the prompt fix.

There is a slight typo: "passport" in the text:

"If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again."

https://git.archlinux.org/aurweb.git/commit/?h=live&id=23fbc3db99b73261c0fb96b07ee2044d46492db6

Reported Version(for this issue) is 4.7.0 but I somehow remember it was correctly set to 4.8.0, though I might remember wrongly. If someone could set it correctly I'd appreciate it. Thanks.


Thank you for your work.
Comment by Lukas Fleischer (lfleischer) - Thursday, 30 January 2020, 13:33 GMT
Good catch. There have been additional changes since then (a password is now required for all account changes) and the typo is no longer there.
Comment by gentoo_eshoes (gentoo_eshoes) - Thursday, 30 January 2020, 14:06 GMT
Excellent work!

Loading...