Mahara

Mahara doesn't ask you for your password before changing your username

Bug #1422492 reported by Aaron Barnes
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Unassigned
Mahara 18.04.0
18.10
Fix Released
Medium
Unassigned
Mahara 18.10.0

Bug Description

These, especially the first, seem like dangerous operations.

Expected behavior is that Mahara would prompt for my current password to prevent someone deleting my user account if I left my account logged in.

Tags: snack-sized

CVE References

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Indeed, if we wanted to be more secure, we could consider asking for password, and/or sending out email notifications, when certain user actions take place. I think maybe a good rule of thumb, is any action that can prevent you from being able to log in. So that would be:

1. Changing your password (we already ask for your current password for this)
2. Changing your username
3. Changing your primary email address (because this can make it impossible to recover your password)
4. Deleting your own account

Changed in mahara:
status: New → Confirmed
importance: Undecided → Low
milestone: none → 15.10.0
information type: Private Security → Public Security
tags: added: snack-sized
Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 15.10.0 → 16.04.0
Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 16.04.0 → 16.10.0
Robert Lyon (robertl-9)
Changed in mahara:
milestone: 16.10.0 → 16.10.1
Robert Lyon (robertl-9)
Changed in mahara:
milestone: 16.10.1 → 17.04.0
Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
milestone: 17.04.0 → none
milestone: none → 17.10.0
importance: Low → Medium
Revision history for this message
Robert Lyon (robertl-9) wrote :

A problem here is if the user logged in via SSO they don't have/know a password in Mahara

Changed in mahara:
milestone: 17.10.0 → 18.04.0
Revision history for this message
Robert Lyon (robertl-9) wrote :

Because of the fact a user can SSO in and so they do not have a valid password in Mahara itself we can't force them to re-enter their password to do the following:

1. Changing your username
2. Changing your primary email address (because this can make it impossible to recover your password)
3. Deleting your own account

However we now have some more security around

2. Changing your primary email - we now have a check where when a new email address is being added to the account the existing email addresses get sent a 'heads up' message about the new email address.
3. Deleting your own account - we now have the ability to set a site setting where users deleting their accounts go to a pending confirmation queue which admins need to verify

As for

1. Changing your username

we could send email to user's accounts as a 'heads up' for this as well

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/8589

Robert Lyon (robertl-9)
Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8589
Committed: https://git.mahara.org/mahara/mahara/commit/8ad4343d97be9d248088bc64ceaa510d213e1151
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 8ad4343d97be9d248088bc64ceaa510d213e1151
Author: Robert Lyon <email address hidden>
Date: Thu Mar 8 10:02:57 2018 +1300

Bug 1422492: Make user enter current password if changing their username

As the change username option only appears on account index page for
those users that have an auth method allowing it we should make the
user also supply their current password when changign username

We hide the confirm password box for username change until they try to
change it

behatnotneeded

Change-Id: Ic05d3c258d331305ae5c07b952ea2a561a8badf1
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "18.04_STABLE" branch: https://reviews.mahara.org/8704

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8704
Committed: https://git.mahara.org/mahara/mahara/commit/cc3a72945b4f68a3b9ffedca26c877619e348b1f
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.04_STABLE

commit cc3a72945b4f68a3b9ffedca26c877619e348b1f
Author: Robert Lyon <email address hidden>
Date: Thu Mar 8 10:02:57 2018 +1300

Bug 1422492: Make user enter current password if changing their username

As the change username option only appears on account index page for
those users that have an auth method allowing it we should make the
user also supply their current password when changign username

We hide the confirm password box for username change until they try to
change it

behatnotneeded

Change-Id: Ic05d3c258d331305ae5c07b952ea2a561a8badf1
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8ad4343d97be9d248088bc64ceaa510d213e1151)

Robert Lyon (robertl-9)
Changed in mahara:
status: In Progress → Fix Committed
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

We'd still need to deal with asking for the password when self-deleting an account. I created bug #1758801 for that.

summary: - Mahara doesn't ask you for your password before deleting your account or
- changing your username
+ Mahara doesn't ask you for your password before changing your username
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.