MindTouch 2010 sends user password in cleartext

RESOLVED FIXED

Status

Product:
developer.mozilla.org
Component:
Wiki pages
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
8 years ago
Modified:
5 years ago

People

(Reporter: retornam, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

8 years ago 
1) Register a new account on https://developer-stage.mozilla.org/En
2) Check your email to find your password in cleartext

Comment 1

8 years ago 
mcoates: what's the preferred fix for this? password reset link? is it okay if it's a one-time password?

Comment 2

8 years ago 
we fixed this on v9 already...  bug 620395.  is this another case of mindtouch not patching their latest version?

Comment 3

8 years ago 
cc me on the bug so I can tell if it's the same xss

Comment 4

8 years ago 
looks like we need to copy over the same resources files into mindtouch 10

Comment 5

8 years ago 
(In reply to comment #1)
> mcoates: what's the preferred fix for this? password reset link? is it okay if
> it's a one-time password?

- Send the user a random token within a reset link.
- If not used, the token automatically expires after 4 hrs.
- The reset link forces an immediate password change.  

If this is a django app there is built in functionality to support this.

Comment 6

8 years ago 
No, this is MindTouch ... again. :(

Comment 7

8 years ago 
This... is a long-standing issue. I'm not sure if it makes sense to block the MindTouch 2010 upgrade for it, given it exists in every version we've used to date.

Comment 8

8 years ago 
(In reply to comment #7)
> This... is a long-standing issue. I'm not sure if it makes sense to block the
> MindTouch 2010 upgrade for it, given it exists in every version we've used to
> date.

We don't have to block the upgrade, but we will need to patch it ourselves as we did in bug 620395.
No longer blocks: 600834

Comment 9

8 years ago 
What is our plan here? Is this issue still present? Can we upgrade and do our own patch?
Depends on: 620395

Comment 10

8 years ago 
I re-opened bug 620395 to re-apply the patch to stage9 and production.
No longer depends on: 620395
Depends on: 620395

Comment 11

7 years ago 
This is not a problem in Kuma, the new MDN platform that replaced Mindtouch. Marking as fixed!
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 12

7 years ago 
Fixed by complete replacement of MindTouch. And also, we don't use passwords any more since adopting BrowserID
Version: Deki → unspecified
Component: Website → Landing pages
Product: Mozilla Developer Network → Mozilla Developer Network
You need to log in before you can comment on or make changes to this bug.