[gatein-issues] [JBoss JIRA] Updated: (GTNPORTAL-880) password recovery may change anyone's password
Matt Wringe (JIRA)
jira-events at lists.jboss.org
Fri Mar 12 18:11:37 EST 2010
[ https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Wringe updated GTNPORTAL-880:
----------------------------------
Priority: Blocker (was: Major)
> password recovery may change anyone's password
> ----------------------------------------------
>
> Key: GTNPORTAL-880
> URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
> Project: GateIn Portal
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 3.0.0-GA
> Reporter: Patrice Lamarque
> Priority: Blocker
>
> It looks like anyone can change anyone else's password by using the forgot username function.
> A first annoyance is that you can easily lock the default root account like this :
> Sign in > Forgot Username / Password > Forgot My Password
> Enter 'root'
> Now try to login with root / gtn >> you can't.
> What Happened ?
> Gatein has generated a new password for root and sent it to the default email address which is.... root at localhost (!).
> Using this function anyone would be able to change anyone else password.
> The flow for password recovery should not regenerate a new password until the user has confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the gatein-issues
mailing list