Remote password change possible upon register of new user w/ already existing username
|Reported by:||erinn_tor||Owned by:||Steffen Hoffmann|
Someone on our bug tracker recently discovered that it's possible to change users' passwords by re-registering the pre-existing username. This is with AccountManagerPlugin 0.4.3.
I don't think this should be possible with any combination of trac.ini options, but just in case, here are the ones we were using before disabling the registration of new users entirely:
acct_mgr.admin.accountmanageradminpanel = enabled acct_mgr.guard.accountguard = enabled acct_mgr.register.registrationmodule = enabled acct_mgr.web_ui.accountmodule = enabled
Basically, they were able to reset anyone's account including admins, so I consider this a critical security flaw. Please let me know if there is any more information I can provide.