Zope PAS

manage_updatePasswordForm allows DoS against other users

Bug #789858 reported by Alan Hoey
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Fix Released
Undecided
Tres Seaver

Bug Description

As an authenticated user, manage_updatePasswordForm allows me to change my login name, however no check is made to ensure this new login name is unique. This means I can set my login name to the same as someone else, preventing them from logging in. The effects are persistent for the victim, as the attacker I can reset my name back to the original and the victim will still be unable to log in (as there is now no mapping of their login name to any other user). Also, attempting to reset the victims login name via the management interface raises an exception (again due to the missing mapping).

(Line 483 onwards, ZODBUserManager.py)

Revision history for this message
Tres Seaver (tseaver) wrote :

I plan to make new releases for the 1.5 and 1.6 branches, as well as the trunk.

Changed in zope-pas:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Revision history for this message
Tres Seaver (tseaver) wrote :

The attached patch hardens the 'updateUser' method (called by both 'manage_updateUser' and 'manage_updateUserPassword').

Revision history for this message
Tres Seaver (tseaver) wrote :

Fix released with PAS 1.5.5, 1.6.5, and 1.7.5.

Changed in zope-pas:
status: Confirmed → Fix Released
visibility: private → public
Matthew Wilkes (matthew-matthewwilkes)
visibility: public → private
Revision history for this message
Matthew Wilkes (matthew-matthewwilkes) wrote :

Moved back to private. We should have coordinated this with our upstream users who reported the bug. This can be republished as soon as they've scrambled to release their fix now this has been disclosed.

This pretty much has to happen in the next few hours.

Matthew Wilkes (matthew-matthewwilkes)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.