Zope PAS

manage_updatePasswordForm allows DoS against other users

Bug #789858 reported by Alan Hoey on 2011-05-29

270

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

Zope PAS

Fix Released

Undecided

Tres Seaver

You need to log in to change this bug's status.

Affecting:	Zope PAS
Filed here by:	Alan Hoey
When:	2011-05-29
Confirmed:	2011-05-30
Assigned:	2011-05-30
Started work:	2011-05-30
Completed:	2011-05-30

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Undecided

Assigned to

	Me
	Tres Seaver (tseaver)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

As an authenticated user, manage_updatePasswordForm allows me to change my login name, however no check is made to ensure this new login name is unique. This means I can set my login name to the same as someone else, preventing them from logging in. The effects are persistent for the victim, as the attacker I can reset my name back to the original and the victim will still be unable to log in (as there is now no mapping of their login name to any other user). Also, attempting to reset the victims login name via the management interface raises an exception (again due to the missing mapping).

(Line 483 onwards, ZODBUserManager.py)

Add tags Tag help

Tres Seaver (tseaver) wrote on 2011-05-30:

I plan to make new releases for the 1.5 and 1.6 branches, as well as the trunk.

Changed in zope-pas:
assignee:	nobody → Tres Seaver (tseaver)
status:	New → Confirmed

Tres Seaver (tseaver) wrote on 2011-05-30:

lp_789858.patch Edit (2.2 KiB, text/plain)

The attached patch hardens the 'updateUser' method (called by both 'manage_updateUser' and 'manage_updateUserPassword').

Tres Seaver (tseaver) wrote on 2011-05-30:

Fix released with PAS 1.5.5, 1.6.5, and 1.7.5.

Changed in zope-pas:
status:	Confirmed → Fix Released
visibility:	private → public

Matthew Wilkes (matthew-matthewwilkes) on 2011-06-01

visibility:

public → private

Matthew Wilkes (matthew-matthewwilkes) wrote on 2011-06-01:

Moved back to private. We should have coordinated this with our upstream users who reported the bug. This can be republished as soon as they've scrambled to release their fix now this has been disclosed.

This pretty much has to happen in the next few hours.

Matthew Wilkes (matthew-matthewwilkes) on 2011-06-01

visibility:

private → public