Project

General

Profile

Actions

Bug #4273

closed

promptPassword in letUpdatePassword

Added by Stefan Arndt over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
06/30/2015
Due date:
% Done:

0%

Estimated time:

Description

I came across a potential security issue related to the built-in AuthWidget. You can reproduce it with the blog example (or probably any other app using the AuthWidget):

  1. Login using username and password
  2. edit profile -> update password

You will see that the password is already filled in.

In the code, the parameter "promptPassword" for "letUpdatePassword" is set to 'true' and thus I would not only expect that I have to enter the password, but also that it is initially emtpy.

I think this could be a problem when you leave your machine unattended because someone can easily change your password. This is avoidable by resetting the password field right after login (sounds like a good idea anyways). Furthermore, wenn you login, change the password and change it again, the passoword-field will still contain the password you entered on login (which is invalid at this point, since you changed it).

Actions #1

Updated by Koen Deforche over 8 years ago

  • Status changed from New to InProgress
  • Assignee set to Koen Deforche
Actions #2

Updated by Koen Deforche over 8 years ago

  • Status changed from InProgress to Resolved
  • Target version set to 3.3.5

Hey,

That's indeed a correct observation!

Koen

Actions #3

Updated by Koen Deforche over 8 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF