manage_updatePasswordForm allows DoS against other users

Bug #789858 reported by Alan Hoey on 2011-05-29
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Undecided
Tres Seaver

Bug Description

As an authenticated user, manage_updatePasswordForm allows me to change my login name, however no check is made to ensure this new login name is unique. This means I can set my login name to the same as someone else, preventing them from logging in. The effects are persistent for the victim, as the attacker I can reset my name back to the original and the victim will still be unable to log in (as there is now no mapping of their login name to any other user). Also, attempting to reset the victims login name via the management interface raises an exception (again due to the missing mapping).

(Line 483 onwards, ZODBUserManager.py)

Tres Seaver (tseaver) wrote :

I plan to make new releases for the 1.5 and 1.6 branches, as well as the trunk.

Changed in zope-pas:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Tres Seaver (tseaver) wrote :

The attached patch hardens the 'updateUser' method (called by both 'manage_updateUser' and 'manage_updateUserPassword').

Tres Seaver (tseaver) wrote :

Fix released with PAS 1.5.5, 1.6.5, and 1.7.5.

Changed in zope-pas:
status: Confirmed → Fix Released
visibility: private → public
visibility: public → private

Moved back to private. We should have coordinated this with our upstream users who reported the bug. This can be republished as soon as they've scrambled to release their fix now this has been disclosed.

This pretty much has to happen in the next few hours.

visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers