Suspended users can log in via password reset email
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Aaron Wells | ||
| 1.6 |
Fix Released
|
High
|
Aaron Wells | ||
| 1.7 |
Fix Released
|
High
|
Son Nguyen | ||
| 1.8 |
Fix Released
|
High
|
Aaron Wells | ||
Bug Description
To replicate:
1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button
Expected Result: You should see the screen that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s"
Actual Result: You are logged in!
The good news is that don't seem to be able to interact with anybody. All attempts to send messages or create content give an error message which includes the account suspension message and reason. However, you can still read other people's content, and I haven't exhaustively checked for all modes of interaction, so there still might be something malicious you can do.
CVE References
| Son Nguyen (ngson2000) wrote | #1 |
| Aaron Wells (u-aaronw) wrote | #2 |
| information type: | Private Security → Public Security |
| Mahara Bot (dev-mahara) wrote A patch has been submitted for review | #3 |
| Mahara Bot (dev-mahara) wrote | #4 |
| Mahara Bot (dev-mahara) wrote A change has been merged | #5 |
| Mahara Bot (dev-mahara) wrote A patch has been submitted for review | #6 |
| Mahara Bot (dev-mahara) wrote A change has been merged | #7 |
| Mahara Bot (dev-mahara) wrote | #8 |
| no longer affects: | mahara/1.9 |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
I'd send an email that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s" instead of the link to the password reset page.