Re: [pydotorg-www] [PSRT] Bug in website

2021-04-27 Thread M.-A. Lemburg 
I don't see where this is vulnerability. Of course, you can delete
the account you just created. It would be bad, if you were able to
delete other accounts in this way, but that's not the case.

On 27.04.2021 18:00, Victor Stinner wrote:
> Hi,
> 
> Can someone please have a look? We receive this email on the Python
> security list.
> 
> Thanks,
> Victor
> 
> On Sat, Mar 20, 2021 at 1:26 PM shubham more
>  wrote:
>>
>> Title:
>> insecure account deletion
>>
>> Description:
>> Hi Team,
>>
>> The removal of account is one of the sensitive
>>
>> part of a web application that needs to
>>
>> protect, therefore removing an account
>>
>> should validate the authenticity of the user,
>>
>> however i have found that when removing an
>>
>> account, the system did not require the user
>>
>> to input the account password.
>>
>> Steps to reproduce:
>> 1)go to
>>
>> websitehttps://www.python.org/accounts/sig
>>
>> nup/ ->sign up
>> 2)login in
>> 3)click on edit profile
>> 4)scroll website last option delete account
>> 5)click on delete account
>> result:account delete succesfully
>>
>> Impact:
>> Intruder can easily delete the account
>>
>> because the system did not protect it by
>>
>> asking the password to validate that the
>>
>> person deleting the account is the real user.
>> ___
>> PSRT mailing list -- p...@python.org
>> To unsubscribe send an email to psrt-le...@python.org
>> https://mail.python.org/mailman3/lists/psrt.python.org/
>> Member address: vstin...@python.org
> 
> 
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Apr 27 2021)
>>> Python Projects, Coaching and Support ...https://www.egenix.com/
>>> Python Product Development ...https://consulting.egenix.com/


::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   https://www.egenix.com/company/contact/
 https://www.malemburg.com/

___
pydotorg-www mailing list
pydotorg-www@python.org
https://mail.python.org/mailman/listinfo/pydotorg-www

Re: [pydotorg-www] [PSRT] Bug in website

2021-04-27 Thread Victor Stinner 
Hi,

Can someone please have a look? We receive this email on the Python
security list.

Thanks,
Victor

On Sat, Mar 20, 2021 at 1:26 PM shubham more
 wrote:
>
> Title:
> insecure account deletion
>
> Description:
> Hi Team,
>
> The removal of account is one of the sensitive
>
> part of a web application that needs to
>
> protect, therefore removing an account
>
> should validate the authenticity of the user,
>
> however i have found that when removing an
>
> account, the system did not require the user
>
> to input the account password.
>
> Steps to reproduce:
> 1)go to
>
> websitehttps://www.python.org/accounts/sig
>
> nup/ ->sign up
> 2)login in
> 3)click on edit profile
> 4)scroll website last option delete account
> 5)click on delete account
> result:account delete succesfully
>
> Impact:
> Intruder can easily delete the account
>
> because the system did not protect it by
>
> asking the password to validate that the
>
> person deleting the account is the real user.
> ___
> PSRT mailing list -- p...@python.org
> To unsubscribe send an email to psrt-le...@python.org
> https://mail.python.org/mailman3/lists/psrt.python.org/
> Member address: vstin...@python.org



-- 
Night gathers, and now my watch begins. It shall not end until my death.
___
pydotorg-www mailing list
pydotorg-www@python.org
https://mail.python.org/mailman/listinfo/pydotorg-www

[pydotorg-www] TimHuegerich would like to edit the wiki

2021-04-27 Thread Tim Huegerich 
Thank you!
Tim
___
pydotorg-www mailing list
pydotorg-www@python.org
https://mail.python.org/mailman/listinfo/pydotorg-www