MindTouch 2010 sends user password in cleartext

RESOLVED FIXED

Status

--
critical
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: retornam, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

8 years ago
1) Register a new account on https://developer-stage.mozilla.org/En
2) Check your email to find your password in cleartext
mcoates: what's the preferred fix for this? password reset link? is it okay if it's a one-time password?

Comment 2

8 years ago
we fixed this on v9 already...  bug 620395.  is this another case of mindtouch not patching their latest version?
cc me on the bug so I can tell if it's the same xss
looks like we need to copy over the same resources files into mindtouch 10
(In reply to comment #1)
> mcoates: what's the preferred fix for this? password reset link? is it okay if
> it's a one-time password?

- Send the user a random token within a reset link.
- If not used, the token automatically expires after 4 hrs.
- The reset link forces an immediate password change.  

If this is a django app there is built in functionality to support this.
No, this is MindTouch ... again. :(
This... is a long-standing issue. I'm not sure if it makes sense to block the MindTouch 2010 upgrade for it, given it exists in every version we've used to date.
(In reply to comment #7)
> This... is a long-standing issue. I'm not sure if it makes sense to block the
> MindTouch 2010 upgrade for it, given it exists in every version we've used to
> date.

We don't have to block the upgrade, but we will need to patch it ourselves as we did in bug 620395.
No longer blocks: 600834
What is our plan here? Is this issue still present? Can we upgrade and do our own patch?
Depends on: 620395
I re-opened bug 620395 to re-apply the patch to stage9 and production.
No longer depends on: 620395
Depends on: 620395
This is not a problem in Kuma, the new MDN platform that replaced Mindtouch. Marking as fixed!
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Fixed by complete replacement of MindTouch. And also, we don't use passwords any more since adopting BrowserID
Version: Deki → unspecified
Component: Website → Landing pages
Product: Mozilla Developer Network → Mozilla Developer Network
You need to log in before you can comment on or make changes to this bug.