email change seems to go through when password is not specified




17 years ago
6 years ago


(Reporter: imajes, Assigned: myk)





17 years ago
more info when this is secure.. :)


17 years ago
Group: webtools-security?
OK, imajes, it's secure. Spill the beans :-)


Comment 2

17 years ago
So i went to change my email of note, and the change went through (as far as i 
can tell), however I forgot to specify my password to confirm the change. 

right now i can't change email as it says email change in progress, but as far 
as i can ascertain (i am running filters, so the mail could have gotten lost in 
bugmail) I haven't had email.

this could be a security risk given it would allow email change without 
requiring passwd confirmation.

# gerv -- got lost for a couple of hours. hope you brought popcorn for the 
suspense. :)

Summary: possible security issue during user account setup → email change seems to go through when password is not specified
-> 2.16 until we can work out whats going on.
Target Milestone: --- → Bugzilla 2.16
Where did you 'forget to specify the password'? I just tried locally, and I need
the password on the userprefs page before it will go through.

The mails don't need confirmation, but thats by design, I think.

Or did you mean something else?
imajes: could you answer bbaetz' questions?


Comment 6

17 years ago
i forgot to specify the password on the change prefs page -- ie, the one where 
you confirm all actions.

whilst i got a prompt telling me that i needed to specify a password (in nice 
big black-on-red lettering), what worried me is that when I went to change the 
email again (specifying password) I got a warning telling me that password 
change is already in progress.

apologies for not providing a more complete explanation before... and it's 
kinda lucky i hit this bug... i was scanning bugmail to delete, and happened to 
land the cursor on gerv's pointer. :)

 -- james
This WFM. Can you reproduce this on a local install, or landfill, or something?
It's been 6 days since the last activity on this bug...

James: you have until July 7 to provide steps to reproduce this that someone
else can duplicate or I resolve WFM and clear the security flag.

*** This bug has been marked as a duplicate of 150925 ***
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
The bug this is duped of is no longer secure, removing security flag on this one.
Group: webtools-security?
clearing target in DUPLICATE/WORKSFORME/INVALID/WONTFIX bugs so they'll show up
as untriaged if they get reopened.
Target Milestone: Bugzilla 2.16 → ---
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.