Reviewed: https://reviews.mahara.org/7167 Committed: https://git.mahara.org/mahara/mahara/commit/fe6087caa0c3b9e4abe4386c8afa329d42631389 Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 15.04_STABLE
commit fe6087caa0c3b9e4abe4386c8afa329d42631389 Author: Robert Lyon <robe...@catalyst.net.nz> Date: Tue Oct 4 13:54:44 2016 +1300 Bug 1577251: Delete password requests when changing primary email behatnotneeded Change-Id: I63080b651e08e8e747a891e9f7f2283bfecb72f1 Signed-off-by: Robert Lyon <robe...@catalyst.net.nz> (cherry picked from commit 6cfb0274081b55dade4edb526a2db580b15dc2c4) (cherry picked from commit 4a51beb36d4bfb0619024b2917c4e103eb0bae30) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1577251 Title: Should invalidate password reset links when a user changes their primary email address Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Bug description: As reported to us through the mahara.org security bug email address, by Sajibe kanti. When a user completes the "Forgot password?" password reset process, we delete any remaining password reset links for that user. However, we do not delete these if a user changes their primary email address. As the initial email points out, that could lead to an attack like this: 1. Attacker compromises victim's Mahara account (without changing victim's password). 2. Attacker changes their account's primary email address to the attacker's email address. 3. Attacker uses "Forgot password" page to request a password reset email. They don't immediately use the link in the password reset email; instead they store it for later. 4. Victim realizes their Mahara account is compromised, and logs in to their account. 5. Victim attempts to secure their account by changing their password (through account settings page), and changing their primary email address back to their own. Expected result: The attacker is locked out of the victim's Mahara account Actual result: The attacker uses their stored password reset email to change the user's password and re-gain access to their account. We could help reduce this attack vector, by deleting any outstanding password reset emails for a user, when the user updates their account's primary email address. We should probably also delete any outstanding password reset emails for a user, when they change their account password through the account settings page. It may be worth considering other situations where password reset emails should be deleted, as well. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1577251/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp