Suspended users can log in via password reset email
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mahara |
High
|
Aaron Wells | ||
| 1.6 |
High
|
Aaron Wells | ||
| 1.7 |
High
|
Son Nguyen | ||
| 1.8 |
High
|
Aaron Wells |
Bug Description
To replicate:
1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button
Expected Result: You should see the screen that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s"
Actual Result: You are logged in!
The good news is that don't seem to be able to interact with anybody. All attempts to send messages or create content give an error message which includes the account suspension message and reason. However, you can still read other people's content, and I haven't exhaustively checked for all modes of interaction, so there still might be something malicious you can do.
CVE References
Son Nguyen (ngson2000) wrote : | #1 |
Aaron Wells (u-aaronw) wrote : | #2 |
Oops, I forgot to make it a security patch. https:/
information type: | Private Security → Public Security |
Patch for "1.6_STABLE" branch: https:/
Mahara Bot (dev-mahara) wrote : | #4 |
Patch for "1.8_STABLE" branch: https:/
Reviewed: https:/
Committed: http://
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE
commit 09e06e80bc12b3f
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300
Check that account is valid before logging in via password reset
Bug1284876: Without this, a suspended user can log in via a password
reset email
Change-Id: I5cb8f2978cdc2c
Patch for "1.7_STABLE" branch: https:/
Reviewed: https:/
Committed: http://
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE
commit 3475f03a3569b91
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300
Check that account is valid before logging in via password reset
Bug1284876: Without this, a suspended user can log in via a password
reset email
Change-Id: I5cb8f2978cdc2c
Mahara Bot (dev-mahara) wrote : | #8 |
Reviewed: https:/
Committed: http://
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE
commit f199966ea4ce184
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300
Check that account is valid before logging in via password reset
Bug1284876: Without this, a suspended user can log in via a password
reset email
Change-Id: I5cb8f2978cdc2c
no longer affects: | mahara/1.9 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
I'd send an email that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s" instead of the link to the password reset page.