Suspended users can log in via password reset email

Bug #1284876 reported by Aaron Wells on 2014-02-25
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Aaron Wells
1.6
High
Aaron Wells
1.7
High
Son Nguyen
1.8
High
Aaron Wells

Bug Description

To replicate:

1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button

Expected Result: You should see the screen that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s"

Actual Result: You are logged in!

The good news is that don't seem to be able to interact with anybody. All attempts to send messages or create content give an error message which includes the account suspension message and reason. However, you can still read other people's content, and I haven't exhaustively checked for all modes of interaction, so there still might be something malicious you can do.

CVE References

Son Nguyen (ngson2000) wrote :

I'd send an email that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s" instead of the link to the password reset page.

Aaron Wells (u-aaronw) wrote :

Oops, I forgot to make it a security patch. https://reviews.mahara.org/3042

Aaron Wells (u-aaronw) on 2014-04-01
information type: Private Security → Public Security
Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3162

Reviewed: https://reviews.mahara.org/3162
Committed: http://gitorious.org/mahara/mahara/commit/09e06e80bc12b3f9ec56854aace9adfcdc920995
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 09e06e80bc12b3f9ec56854aace9adfcdc920995
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Reviewed: https://reviews.mahara.org/3160
Committed: http://gitorious.org/mahara/mahara/commit/3475f03a3569b91ea787bc0049d85c1b4c77896d
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE

commit 3475f03a3569b91ea787bc0049d85c1b4c77896d
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3164
Committed: http://gitorious.org/mahara/mahara/commit/f199966ea4ce18481c64e92f757ae2ddd1762c5a
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE

commit f199966ea4ce18481c64e92f757ae2ddd1762c5a
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Aaron Wells (u-aaronw) on 2014-04-03
no longer affects: mahara/1.9
Robert Lyon (robertl-9) on 2014-04-22
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers