On 6/4/06, Joern Nettingsmeier <[EMAIL PROTECTED]> wrote:
hi everybody!
i've come across two security issues wrt. admin.changePassword while
digging around:
(1) the password dialog is submitted via GET. this will expose the
password to somebody watching the browser's address bar. the attached
patch changes the method to POST. you can argue that security is
currently not implemented anyway, since we are sending clear-text
around. granted. but: we are using <input type="password"/> fields, so
the goal seems to be: hide the password from people watching the screen.
which implies that the values should be POSTed.
See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
contains a fix for (I think) the same kind of problem that existed on
the login page.
(2) the checkOldPassword flag is set via a request parameter, which can
be easily tampered with by normal users.
if this is meant only as a usability thing, that is not a problem. if
however it is meant to protect logged-in users from having their
passwords changed while they are not looking, this issue becomes important.
my suggestion is to always checkOldPassword if the users do not belong
to the admin group, and to hope that admins know better than to leave
their sessions unattended.
i'm not sure though if i have understood all the side-effects of this,
so i would welcome your comments.
jörn
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
