I don't see where this is vulnerability. Of course, you can delete
the account you just created. It would be bad, if you were able to
delete other accounts in this way, but that's not the case.
On 27.04.2021 18:00, Victor Stinner wrote:
> Hi,
>
> Can someone please have a look? We receive this email on the Python
> security list.
>
> Thanks,
> Victor
>
> On Sat, Mar 20, 2021 at 1:26 PM shubham more
> wrote:
>>
>> Title:
>> insecure account deletion
>>
>> Description:
>> Hi Team,
>>
>> The removal of account is one of the sensitive
>>
>> part of a web application that needs to
>>
>> protect, therefore removing an account
>>
>> should validate the authenticity of the user,
>>
>> however i have found that when removing an
>>
>> account, the system did not require the user
>>
>> to input the account password.
>>
>> Steps to reproduce:
>> 1)go to
>>
>> websitehttps://www.python.org/accounts/sig
>>
>> nup/ ->sign up
>> 2)login in
>> 3)click on edit profile
>> 4)scroll website last option delete account
>> 5)click on delete account
>> result:account delete succesfully
>>
>> Impact:
>> Intruder can easily delete the account
>>
>> because the system did not protect it by
>>
>> asking the password to validate that the
>>
>> person deleting the account is the real user.
>> ___
>> PSRT mailing list -- p...@python.org
>> To unsubscribe send an email to psrt-le...@python.org
>> https://mail.python.org/mailman3/lists/psrt.python.org/
>> Member address: vstin...@python.org
>
>
>
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Experts (#1, Apr 27 2021)
>>> Python Projects, Coaching and Support ...https://www.egenix.com/
>>> Python Product Development ...https://consulting.egenix.com/
::: We implement business ideas - efficiently in both time and costs :::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
https://www.egenix.com/company/contact/
https://www.malemburg.com/
___
pydotorg-www mailing list
pydotorg-www@python.org
https://mail.python.org/mailman/listinfo/pydotorg-www