Announcement

Collapse
No announcement yet.

another 2 issues concern security! - CRITICAL somehow

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • another 2 issues concern security! - CRITICAL somehow

    hi guys, i just discovered that when you click on password retrival link it only ask for username and sends a new password to the email, what if anyone fill "admin" or any known user and hit send! the password is being changed and sent to email, can't login with old password, meanwhile anyone can reset the password to anyone! even if it is sent to the user email address! i think this need be addressed or solved even by workaround, at least user must confirm he wants to reset the password and another email send a new one!? what you think? doesn't make sense to me

    also the "columns" feature, i have changed some columns places in a grid, then logged out, logged in with another user and still showing the same colomns what was modified by the first user!? is this making any sense to you? how the user will setup columns for other users? I tried from another computer and it is ok, showing default columns but also for the same PC it does show the same colums of the previous user, it is critical I think!? what the logout is for? doesn't suppose to remove all user stuff from the machine?????

  • #2
    Originally posted by MikeDE View Post
    hi guys, i just discovered that when you click on password retrieval link it only ask for username and sends a new password to the email, what if anyone fill "admin" or any known user and hit send! the password is being changed and sent to email, can't login with old password, meanwhile anyone can reset the password to anyone! even if it is sent to the user email address! i think this need be addressed or solved even by workaround, at least user must confirm he wants to reset the password and another email send a new one!? what you think? doesn't make sense to me
    Mike, FWIW... If I understand correctly, when a user registers for the first time, they must enter in a valid email address, correct? Isn't the email address associated with the uname?

    example; I create new user mtjones with email of mtjones@somewhere_com....
    IF I need to retrieve my password, doesn't the system send the email to the address associated with the user? => if I input some other user's name.... the email to the associated email address?

    example; if you knew my uname of 'bob' and you selected to 'retrieve' password and (just to pull a prank on me) you enter my uname of 'bob'... the email will be sent to "my" email address telling me "my" ('bob') password was changed.

    YES... I agree there should be some sort of 'safeguard' so some random person cannot reset someone else's password.

    example, Other secure systems I use requires some sort of answer to a "secret question" that I selected during registration... like "what is my favorite color" or "what is my dog's name" to verify that it is me.

    FWIW... the 'secret question' verification to the 'retrieve password' quite easily... therefore thwarting any 'pranks'.

    I hope I understood your question/observation... If not, sorry (ignore this).

    Stu Buck
    Phoenix AZ
    Last edited by stubuck; 02-07-2015, 05:40 PM.

    Comment


    • #3
      Hi Stu,

      You are right, that is what I mean, if someone knows your username, he can retrieve the password to your email (create new one and send to the typed user email), although, it is not compromising the password to other users, but also anyone knows the user can reset the password for that user!

      For my case, the users are known to all other users, which allows anyone to do that step without monitoring who did it! as you know, the retrieve password application has no security control to know who did it

      alternatively, if by clicking on retrieve password, first email should be sent to user/email registered, and from that email should generate the new password and re-send it to user as new email...

      Issue is I'm sure that this feature was there before, and i just don't know why it is acting this way with this project... is it related to the first time I created the security module perhaps? don't know, what if that is true? should i recreate the security module again or just add the code that makes this change?

      what you think the best practice could be?

      Comment


      • #4
        hi again, i was correct, after going through this issue, found that when first creating the security module there is an option on how you want to password retrieval thing to go... you have 3 options, either send free-text password to user (not recommended at all) second is to create a new password and send to the user by email (the issue i was talking about) and 3rd is the best is once you click retrieve password, fill in the username, and the email will contain the called so "act_code" it will be sent as a link to the email, and unless it is clicked, password is not changed,,, which is good, the password will stay as is unless the user clicks that link....

        However, now, the issue is when you click the link with act_code it takes you actually to a change-password screen, and shows only new password and confirm new password... but doesn't change the password! why? because it assumes the old password is not filled! because the old password in this form is actually required when you access the change-password form normally from within the project

        so now we need to mark the old password as not required, and remove the "must at least have 6 letters...etc." in order for retrieve password to work ok grrrrrrrrrr still doesn't make sense, also wanna get rid of this message of onBlus shows username must have at least 5/6 charecters couldn't do so unless i remove the validation from the field which is obviously requried

        hope anyone is following what i am writing, i don't think so, sorry to get you headache guys, my bad
        Last edited by MikeDE; 02-08-2015, 11:01 AM.

        Comment

        Working...
        X