Bug #1284876 “Suspended users can log in via password reset emai...” : Bugs : Mahara

Bug Description

To replicate:

1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button

Expected Result: You should see the screen that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s"

Actual Result: You are logged in!

The good news is that don't seem to be able to interact with anybody. All attempts to send messages or create content give an error message which includes the account suspension message and reason. However, you can still read other people's content, and I haven't exhaustively checked for all modes of interaction, so there still might be something malicious you can do.

Tags: Edit Tag help

CVE References

2014-8697

Son Nguyen (ngson2000) wrote on 2014-02-25:

I'd send an email that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s" instead of the link to the password reset page.

Aaron Wells (u-aaronw) wrote on 2014-02-25:

Oops, I forgot to make it a security patch. https://reviews.mahara.org/3042

Aaron Wells (u-aaronw) on 2014-04-01

information type:

Private Security → Public Security

Mahara Bot (dev-mahara) wrote on 2014-04-01: A patch has been submitted for review

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3160

Mahara Bot (dev-mahara) wrote on 2014-04-01:

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3162

Mahara Bot (dev-mahara) wrote on 2014-04-01: A change has been merged

Reviewed: https://reviews.mahara.org/3162
Committed: http://gitorious.org/mahara/mahara/commit/09e06e80bc12b3f9ec56854aace9adfcdc920995
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 09e06e80bc12b3f9ec56854aace9adfcdc920995
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Mahara Bot (dev-mahara) wrote on 2014-04-01: A patch has been submitted for review

Patch for "1.7_STABLE" branch: https://reviews.mahara.org/3164

Mahara Bot (dev-mahara) wrote on 2014-04-02: A change has been merged

Reviewed: https://reviews.mahara.org/3160
Committed: http://gitorious.org/mahara/mahara/commit/3475f03a3569b91ea787bc0049d85c1b4c77896d
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE

commit 3475f03a3569b91ea787bc0049d85c1b4c77896d
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Mahara Bot (dev-mahara) wrote on 2014-04-03:

Reviewed: https://reviews.mahara.org/3164
Committed: http://gitorious.org/mahara/mahara/commit/f199966ea4ce18481c64e92f757ae2ddd1762c5a
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE

commit f199966ea4ce18481c64e92f757ae2ddd1762c5a
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Aaron Wells (u-aaronw) on 2014-04-03

no longer affects:

mahara/1.9

Robert Lyon (robertl-9) on 2014-04-22

Changed in mahara:
status:	Fix Committed → Fix Released

Mahara

Suspended users can log in via password reset email

Bug Description

CVE References

Other bug subscribers