Status

()

bugzilla.mozilla.org
Administration
P3
major
RESOLVED DUPLICATE of bug 1045767
3 years ago
3 years ago

People

(Reporter: Ranjeet Singh, Unassigned)

Tracking

Development/Staging
x86_64
Windows 8

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Steps to reproduce :
1) Create a https://bugzilla.mozilla.org account having email address "abc@x.com".
2) Now Logout and ask for password reset link. Don't use the password reset link.
3) Login using the same password back and update your email address to "def@x.com" and verify the same.
4) Now logout and use the password reset link which was mailed to "abc@x.com" in step 2.
5) Password will be changed.

All previous password reset links should automatically expire once a user changes his email address.
Please let me know if this can be fixed.

Best Regards
Ranjeet
(Reporter)

Updated

3 years ago
Group: core-security → bugzilla-security
Component: Security → Administration
Priority: -- → P3
Product: Core → bugzilla.mozilla.org
Version: unspecified → Development/Staging
(Reporter)

Comment 1

3 years ago
Created attachment 8466798 [details]
10579010_649181838511129_368177136_o.jpg
(In reply to Ranjeet Singh from comment #1)
> Created attachment 8466798 [details]
> 10579010_649181838511129_368177136_o.jpg

What does this have to do with the issue mentioned in comment #0?

Also, looks like you just modified the source to add that oninput=... If so, that's not a valid security issue.
(Reporter)

Comment 3

3 years ago
No sir its a mistake bug is

Steps to reproduce :
1) Create a https://bugzilla.mozilla.org account having email address "abc@x.com".
2) Now Logout and ask for password reset link. Don't use the password reset link.
3) Login using the same password back and update your email address to "def@x.com" and verify the same.
4) Now logout and use the password reset link which was mailed to "abc@x.com" in step 2.
5) Password will be changed.

All previous password reset links should automatically expire once a user changes his email address.
Please let me know if this can be fixed.

Best Regards
Ranjeet

Updated

3 years ago
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1045767

Comment 5

3 years ago
(In reply to Ranjeet Singh from comment #3)
> No sir its a mistake bug is
> 
> Steps to reproduce :
> 1) Create a https://bugzilla.mozilla.org account having email address
> "abc@x.com".
> 2) Now Logout and ask for password reset link. Don't use the password reset
> link.
> 3) Login using the same password back and update your email address to
> "def@x.com" and verify the same.
> 4) Now logout and use the password reset link which was mailed to
> "abc@x.com" in step 2.
> 5) Password will be changed.
> 
> All previous password reset links should automatically expire once a user
> changes his email address.
> Please let me know if this can be fixed.

The wording here is identical to the wording in https://bugzilla.mozilla.org/show_bug.cgi?id=1045767#c0 , except for the sample e-mail address.

  -- simon
You need to log in before you can comment on or make changes to this bug.