Closed Bug 1894601 Opened 2 years ago Closed 2 years ago

Bugzilla should not use crypt to store hashed passwords in the database

Categories

(Bugzilla :: User Accounts, enhancement)

Product:
Bugzilla
Component:
User Accounts
Version:
5.9.1
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: chiragshilkar056, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

I wrote bogus text in the current password box and changed my user name.
However, Bugzilla accepted the change.

Reproducible: Always

Steps to Reproduce:

  1. Use bogus text as your current password.
  2. Change your real name.
  3. Submit
    Actual Results:
    Bugzilla makes the changes.

Expected Results:
Bugzilla should not make the change.

I think the bogus text I was using began with my actual password so if it was
foo, I enterered foobar.

This is a security issue so setting security flag. This is also a critical issue.

Flags: needinfo?(default-qa)

The password entry on that form is only required if you change your email or the password itself. Changes to the real name field do not require a password entry, so the password field would be ignored if that's the only thing you change.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(default-qa)
Resolution: --- → INVALID

The text on that page states "Your current password is required to confirm email address or password changes." There's no mention of real name there.

This bug will remain secured for 24 hours, to give you adequate time to change my mind in case I'm wrong, after which the security flag will be removed.

Flags: needinfo?(justdave)
Group: bugzilla-security
Flags: needinfo?(justdave)
You need to log in before you can comment on or make changes to this bug.