3:29 p.m.
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:11 p.m.
New subject: [JBoss JIRA] Updated: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira....
]
Matt Wringe updated GTNPORTAL-880:
----------------------------------
Priority: Blocker (was: Major)
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Priority: Blocker
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:49 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira....
]
Dimitri BAELI commented on GTNPORTAL-880:
-----------------------------------------
Forget my last answer I though it was for user creation, not recovery.
What is possible is to add a checkup at GateIn start for the mail service configuration.
And display a message on root logged user homepage to tell him that MailService is not
configured.
A stack at GateIn start with informations like Patrice explained is good.
Changing the password is not what we expect, no ? Why not simply sending the password
without changing.
So that without mail service the recovery does not work but does not block the account
(and then generating a file in the server side can be a solution).
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Priority: Blocker
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:27 p.m.
New subject: [JBoss JIRA] Resolved: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira....
]
Thomas Heute resolved GTNPORTAL-880.
------------------------------------
Resolution: Done
Assignee: Thomas Heute
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Assignee: Thomas Heute
Priority: Blocker
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:33 p.m.
New subject: [JBoss JIRA] Reopened: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira....
]
Thomas Heute reopened GTNPORTAL-880:
------------------------------------
Reopened, need to change 'something'
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Assignee: Thomas Heute
Priority: Blocker
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:21 p.m.
New subject: [JBoss JIRA] Resolved: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/jira/browse/GTNPORTAL-880?page=com.atlassian.jira....
]
Thomas Heute resolved GTNPORTAL-880.
------------------------------------
Fix Version/s: 3.0.0-GA
Resolution: Done
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Assignee: Thomas Heute
Priority: Blocker
Fix For: 3.0.0-GA
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:23 p.m.
New subject: [JBoss JIRA] Closed: (GTNPORTAL-880) password recovery may change anyone's password
[
https://jira.jboss.org/browse/GTNPORTAL-880?page=com.atlassian.jira.plugi...
]
Hang Nguyen closed GTNPORTAL-880.
---------------------------------
password recovery may change anyone's password
----------------------------------------------
Key: GTNPORTAL-880
URL: https://jira.jboss.org/browse/GTNPORTAL-880
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Reporter: Patrice Lamarque
Assignee: Thomas Heute
Priority: Blocker
Labels: am
Fix For: 3.0.0-GA
It looks like anyone can change anyone else's password by using the forgot username
function.
A first annoyance is that you can easily lock the default root account like this :
Sign in > Forgot Username / Password > Forgot My Password
Enter 'root'
Now try to login with root / gtn >> you can't.
What Happened ?
Gatein has generated a new password for root and sent it to the default email address
which is.... root@localhost (!).
Using this function anyone would be able to change anyone else password.
The flow for password recovery should not regenerate a new password until the user has
confirmed by clicking a generated URI in the email.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5110
days inactive
5359
days old
6 comments
5 participants
participants (5)
-
Dimitri BAELI (JIRA) -
Hang Nguyen (JIRA)
-
Matt Wringe (JIRA)
-
Patrice Lamarque (JIRA)
-
Thomas Heute (JIRA)