Suspended users can log in via password reset email

Bug #1284876 reported by Aaron Wells
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Aaron Wells
1.6
Fix Released
High
Aaron Wells
1.7
Fix Released
High
Son Nguyen
1.8
Fix Released
High
Aaron Wells

Bug Description

To replicate:

1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button

Expected Result: You should see the screen that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s"

Actual Result: You are logged in!

The good news is that don't seem to be able to interact with anybody. All attempts to send messages or create content give an error message which includes the account suspension message and reason. However, you can still read other people's content, and I haven't exhaustively checked for all modes of interaction, so there still might be something malicious you can do.

Tags: suspended

CVE References

Revision history for this message
Son Nguyen (ngson2000) wrote :

I'd send an email that says "Your account has been suspended as of Wednesday, 26 February 2014. The reason for your suspension is: %s" instead of the link to the password reset page.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Oops, I forgot to make it a security patch. https://reviews.mahara.org/3042

Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3160

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3162

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/3162
Committed: http://gitorious.org/mahara/mahara/commit/09e06e80bc12b3f9ec56854aace9adfcdc920995
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 09e06e80bc12b3f9ec56854aace9adfcdc920995
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "1.7_STABLE" branch: https://reviews.mahara.org/3164

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/3160
Committed: http://gitorious.org/mahara/mahara/commit/3475f03a3569b91ea787bc0049d85c1b4c77896d
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.6_STABLE

commit 3475f03a3569b91ea787bc0049d85c1b4c77896d
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3164
Committed: http://gitorious.org/mahara/mahara/commit/f199966ea4ce18481c64e92f757ae2ddd1762c5a
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE

commit f199966ea4ce18481c64e92f757ae2ddd1762c5a
Author: Aaron Wells <email address hidden>
Date: Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

Aaron Wells (u-aaronw)
no longer affects: mahara/1.9
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers