Ticket #7187 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

AccountManager doesn't verify email when resetting password

Reported by: sagar.behere@gmail.com Assigned to: pacopablo
Priority: high Component: AccountManagerPlugin
Severity: critical Keywords:
Cc: rjollos Trac Release: 0.12

Description

I am using the account manager plugin with SvnServePasswordStore? and the passwords coming from a svnserve passwd file.

I have a user called 'test' with email sagar@pobox.com. When I click on Forgot password and enter username test and email wrongemail@wrongserver.com and click ok, i get a message saying "Your new password has been emailed to you at wrongemail@wrongserver.com" Then, when I check the svnserve passwd file, I find that the password for user test has been reset to a random hexadecimal like value.

The reset password feature should have refused to work and stated something like "wrongemail@wrongserver.com is not the email associated with username test and the email will NOT be sent."

System: Ubuntu Lucid, trac 0.12b1, I installed account manager from the trunk on 31st May 2010

Attachments

Change History

07/12/10 21:42:26 changed by dr2chase

I think this bug was caused by r7731. It deleted lines containing: 

        notifier = PasswordResetNotification(self.env)

        if email != notifier.email_map.get(username):
            return {'error': 'The email and username do not '
                             'match a known account.'}

See the diffs here.

07/15/10 14:15:40 changed by dr2chase

PS: why is this not of the highest priority/severity? This is a trivially exploitable security hole.

08/13/10 16:22:59 changed by Samuel.Degrande@lifl.fr

I changed it into a case-insensitive check, because our users sometimes write their email address with uppercases, and sometimes with lowercases:

if email.lower() != notifier.email_map.get(username).lower():

return {'error': 'The email and username do not '

'match a known account.'}

08/17/10 23:33:38 changed by rjollos

  • cc set to rjollos.

(follow-up: ↓ 6 ) 08/31/10 18:25:57 changed by anonymous

When setting "acct_mgr.notification.accountchangelistener = enabled", the check against the registered email is done... The code cited by dr2chase was indeed moved inside the AccountManager notifier...

However, if you don't enable acct_mgr.notification.accountchangelistener, no mail is sent, but the password is changed !

(in reply to: ↑ 5 ) 09/26/10 15:36:41 changed by hasienda

  • status changed from new to closed.
  • resolution set to fixed.

Replying to anonymous:

When setting "acct_mgr.notification.accountchangelistener = enabled", the check against the registered email is done... The code cited by dr2chase was indeed moved inside the AccountManager notifier...

So the initial issue is solved, right? I can't reproduce it either.

However, if you don't enable acct_mgr.notification.accountchangelistener, no mail is sent, but the password is changed !

This is bad, but a different story and this is, what #3989 is for, if I'm totally wrong.

BTW, see #816 for a related enhancement request.

09/26/10 15:50:06 changed by hasienda

Reading #3989 a second time I found, that this wasn't true, but I added the relevant information and reporter of this ticket to Cc-list.

Add/Change #7187 (AccountManager doesn't verify email when resetting password)




Change Properties
Action