more info when this is secure.. :)
OK, imajes, it's secure. Spill the beans :-) Gerv
So i went to change my email of note, and the change went through (as far as i can tell), however I forgot to specify my password to confirm the change. right now i can't change email as it says email change in progress, but as far as i can ascertain (i am running filters, so the mail could have gotten lost in bugmail) I haven't had email. this could be a security risk given it would allow email change without requiring passwd confirmation. # gerv -- got lost for a couple of hours. hope you brought popcorn for the suspense. :)
Summary: possible security issue during user account setup → email change seems to go through when password is not specified
-> 2.16 until we can work out whats going on.
Target Milestone: --- → Bugzilla 2.16
Where did you 'forget to specify the password'? I just tried locally, and I need the password on the userprefs page before it will go through. The mails don't need confirmation, but thats by design, I think. Or did you mean something else?
imajes: could you answer bbaetz' questions? Gerv
i forgot to specify the password on the change prefs page -- ie, the one where you confirm all actions. whilst i got a prompt telling me that i needed to specify a password (in nice big black-on-red lettering), what worried me is that when I went to change the email again (specifying password) I got a warning telling me that password change is already in progress. apologies for not providing a more complete explanation before... and it's kinda lucky i hit this bug... i was scanning bugmail to delete, and happened to land the cursor on gerv's pointer. :) -- james
This WFM. Can you reproduce this on a local install, or landfill, or something?
It's been 6 days since the last activity on this bug... James: you have until July 7 to provide steps to reproduce this that someone else can duplicate or I resolve WFM and clear the security flag.
*** This bug has been marked as a duplicate of 150925 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
The bug this is duped of is no longer secure, removing security flag on this one.
clearing target in DUPLICATE/WORKSFORME/INVALID/WONTFIX bugs so they'll show up as untriaged if they get reopened.
Target Milestone: Bugzilla 2.16 → ---
You need to log in before you can comment on or make changes to this bug.