[gatein-issues] [JBoss JIRA] Created: (GTNPORTAL-880) password recovery may change anyone's password
Patrice Lamarque (JIRA)
jira-events at lists.jboss.org
Fri Mar 12 16:29:37 EST 2010
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
It looks like anyone can change anyone else's password by using the forgot username function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address which is.... root at localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the gatein-issues
mailing list