URL:
<http://savannah.gnu.org/support/?107268>
Summary: Verification of account email changes is
ineffective
Project: Savannah Administration
Submitted by: hashproduct
Submitted on: Sat 13 Feb 2010 05:44:37 PM EST
Category: Savannah website
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
When I change my account email address via the "My Account Conf" page,
Savannah sends a verification link to the new email address to make me prove
that I control it:
You have requested a change of email address on Savannah.
Please visit the following URL to complete the email change:
https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=confirm
-- the Savannah team.
But Savannah sends the same link to my old email address, except for a query
parameter at the end:
Someone, presumably you, has requested a change of email address on
Savannah.
If it wasn't you, maybe someone is trying to steal your account...
Your current address is [email protected], the supposedly new
address
is [email protected].
If you did not request that change, please visit the following URL to
discard
the email change and report the problem to us:
https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=discard
-- the Savannah team.
So I can complete the verification without actually controlling the new
address! Savannah should be changed to use different tokens in the two links.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107268>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
