Feature #21660
closed
Secure the BE login 3 - The password change facility does not require the user’s current password.
0%
Description
Currently the password change facility does not require the user’s current password. Due to cross site request forgery an attacker an attacker can change a user’s password if the attacker can entice the user to submit a forged request.
Suggestion:
The current password should be requiered by the password change facillity.
(issue imported from #M12723)
Updated by Marcus Krause over 14 years ago
FYI: Long time ago I made an effort (asking in mailinglist) to confirm a password change with the old password.
I'll remove number scheme from your other reports so that you cannot easily see that one report (this one) is hidden.
Updated by Marcus Krause over 14 years ago
And this is the mentioned thread (Jan 2008):
http://lists.typo3.org/pipermail/typo3-dev/2008-January/027241.html
Updated by Christian Kuhn over 12 years ago
- Target version deleted (
0) - TYPO3 Version set to 4.7
- PHP Version changed from 4.3 to 5.3
This is not a critical security issue anymore since the User settings module is CSRF protected.
Security team decided to open this issue as usual feature that can be solved with future TYPO3 versions.
Updated by Christian Kuhn over 12 years ago
- Project changed from 1716 to TYPO3 Core
Updated by Mathias Schreiber over 9 years ago
- Tracker changed from Bug to Feature
- Status changed from New to Accepted
- Priority changed from Should have to Could have
- Target version set to 7.0
- PHP Version changed from 5.3 to 5.5
Updated by Mathias Schreiber over 9 years ago
- Target version changed from 7.0 to 7.1 (Cleanup)
Updated by Benni Mack almost 9 years ago
- Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
Updated by Susanne Moog almost 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Riccardo De Contardi over 8 years ago
- Status changed from Accepted to Closed
I think I can close this as solved with #35807
If you think that this is the wrong decision, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.