Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#11545 closed defect (fixed)

Remote password change in trac.torproject account

Reported by: Dedalo Owned by: erinn
Priority: Very High Milestone:
Component: Internal Services/Service - trac Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I was trying to recover my password and I tried to register my user again so a noticed there is a vulnerability, any user can actually change any users password.

Go to:

https://trac.torproject.org/projects/tor/register

Just put any username with the password you want and then that is going to automatically change it.

Child Tickets

Attachments (2)

Selección_191.png (25.7 KB) - added by Dedalo 6 years ago.
Selección_192.png (17.9 KB) - added by Dedalo 6 years ago.

Download all attachments as: .zip

Change History (7)

Changed 6 years ago by Dedalo

Attachment: Selección_191.png added

Changed 6 years ago by Dedalo

Attachment: Selección_192.png added

comment:1 Changed 6 years ago by karsten

Owner: set to erinn
Status: newassigned

Indeed. I was able to confirm this by changing the password for cypherpunks to something else, and that worked just fine. (I changed the password back afterwards.)

weasel just disabled the account manager. Now we only need to find a way to fix this. Re-assigning to erinn.

Thanks for reporting!

comment:2 Changed 6 years ago by Dedalo

Please if you can restore isis and ioerror's passwords cause I changed them and not sure if they will be able to exploit this issue when they are online.

comment:3 Changed 6 years ago by Sebastian

This sounds suspiciously like the issue I had a few months ago, where I suddenly couldn't log into trac. I discovered another sebastian user with different capitalization while investigating, and reset my password - I suspect that the other user overwrote my password somehow.

comment:4 Changed 6 years ago by erinn

Resolution: fixed
Status: assignedclosed

Okay! This is fixed now. I talked to the developer and they gave me some more configuration options to prevent this from happening. I have upgraded the version of the plugin and added the options they suggested.

I told the developer that I considered this a critical bug (i.e., it should not be possible under any configuration). But I'm closing this for now.

Thanks, Dedalo, for reporting this. :)

comment:5 Changed 6 years ago by Dedalo

Thank you for fixing this issue :)

Note: See TracTickets for help on using tickets.