View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0014486mantisbtsecuritypublic2012-07-15 10:072018-09-04 02:47
Reportertvo Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSUbuntuOS Version11.10
Product Version1.2.11 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0014486: Secure session login is false security while changing password does not require old password
Description

I just noticed a security weakness in mantis.

If

  • you have a normal session open in a mantis bug tracker, and
  • you are an administrator, and
  • you want to access the administrative area, and
  • you have not accessed the administrative area in a while,
    then you are presented with a login form for a new secure session.

However, changing your password does not require your old password. Thus, with an open session, without knowing the old password, and without an open secure session, it is possible to open a secure session simply by changing the user password, and then using this new password to open the secure session and access the administrative area.

I suspect this might be used, if an attacker manages to take over a normal session (maybe just by sitting at his computer while he is away) of an administrator, to access the administrative area, even though the extra login was there to prevent this!

Steps To Reproduce
  • be an administrator on a mantis installation
  • log on
  • wait for secure session to expire, so that clicking [Manage] brings you to a log in form
  • click My Account
  • change password
  • log in with new access
  • you now have a secure session / can now access the administrative area
Additional Information

Suggested solution:

Require user to enter old password when changing user password.

TagsNo tags attached.

Relationships

has duplicate 0008335 closedvboctor Changing password should verify that user knows current password 
related to 0016621 closeddregad Problem with session when using signup and password reset 

Activities

atrol

atrol

2012-07-15 11:04

developer   ~0032339

We should protect also E-mail address from being changed without entering the password.
Maybe even more (all?) preferences.
atrol

atrol

2012-07-15 11:06

developer   ~0032340

Reminder sent to: dhx

dhx, what do you think?

Related Changesets

MantisBT: master 5ea4f8ff

2013-10-17 21:20

vboctor


Details Diff		 Fixes 0014486: Secure session login is false security while changing password does not require old password

- Require current password to change it.
- Require re-auth (similar to admin page) when accessing account page so that email can't be changed without a recent login.		 Affected Issues
0014486
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - lang/strings_english.txt Diff File

MantisBT: master 51f6cae2

2013-11-14 09:48

dregad


Details Diff		 Do not reauthenticate user when verifying signup

Issue 0014486 introduced a regression, preventing users from verifying
their account creation as Mantis was requesting their current password,
which they can't possibly know.

Fixes 0016621		 Affected Issues
0014486, 0016621
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - verify.php Diff File