View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014486 | mantisbt | security | public | 2012-07-15 10:07 | 2018-09-04 02:47 |
Reporter | tvo | Assigned To | vboctor | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Linux | OS | Ubuntu | OS Version | 11.10 |
Product Version | 1.2.11 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0014486: Secure session login is false security while changing password does not require old password | ||||
Description | I just noticed a security weakness in mantis. If
However, changing your password does not require your old password. Thus, with an open session, without knowing the old password, and without an open secure session, it is possible to open a secure session simply by changing the user password, and then using this new password to open the secure session and access the administrative area. I suspect this might be used, if an attacker manages to take over a normal session (maybe just by sitting at his computer while he is away) of an administrator, to access the administrative area, even though the extra login was there to prevent this! | ||||
Steps To Reproduce |
| ||||
Additional Information | Suggested solution: Require user to enter old password when changing user password. | ||||
Tags | No tags attached. | ||||
MantisBT: master 5ea4f8ff 2013-10-17 21:20 Details Diff |
Fixes 0014486: Secure session login is false security while changing password does not require old password - Require current password to change it. - Require re-auth (similar to admin page) when accessing account page so that email can't be changed without a recent login. |
Affected Issues 0014486 |
|
mod - account_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
MantisBT: master 51f6cae2 2013-11-14 09:48 Details Diff |
Do not reauthenticate user when verifying signup Issue 0014486 introduced a regression, preventing users from verifying their account creation as Mantis was requesting their current password, which they can't possibly know. Fixes 0016621 |
Affected Issues 0014486, 0016621 |
|
mod - account_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - verify.php | Diff File |