Password Recovery function immediately changes password without confirming by email
Bug #675372 reported by
Bob Iwamoto
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Eucalyptus |
Fix Released
|
Undecided
|
Dmitrii Zagorodnov |
Bug Description
Environment: OSS 2.0.1 + CentOS 5.5
Issue:
Password Recovery function on Admin UI immediately changes password without confirming by email. The password should be changed by clicking the link in the confirmation email.
Reproduce:
1. Go to Admin UI (https:/
2. Click on [Recover] link.
3. Fill in all necessary fields, and click on [Recover Password].
4. Login with new password without confirming by email.
Thanks,
Bob
Changed in eucalyptus: | |
assignee: | nobody → Dmitrii Zagorodnov (dmitrii) |
tags: | added: qa verification-failed |
Changed in eucalyptus: | |
status: | New → Incomplete |
status: | Incomplete → New |
tags: |
added: verification-done removed: verification-failed |
To post a comment you must log in.
patch is attached that applies cleanly against:
lp:ubuntu/maverick/eucalyptus
revno 173. This is a complete patch that resolves this security problem and has been tested against the corresponding upstream version of eucalyptus 2.0