Feature #21660
closed
Secure the BE login 3 - The password change facility does not require the user’s current password.
Added by Nikolas Hagelstein over 14 years ago.
Updated over 8 years ago.
Description
Currently the password change facility does not require the user’s current password. Due to cross site request forgery an attacker an attacker can change a user’s password if the attacker can entice the user to submit a forged request.
Suggestion:
The current password should be requiered by the password change facillity.
(issue imported from #M12723)
FYI: Long time ago I made an effort (asking in mailinglist) to confirm a password change with the old password.
I'll remove number scheme from your other reports so that you cannot easily see that one report (this one) is hidden.
- Target version deleted (
0)
- TYPO3 Version set to 4.7
- PHP Version changed from 4.3 to 5.3
This is not a critical security issue anymore since the User settings module is CSRF protected.
Security team decided to open this issue as usual feature that can be solved with future TYPO3 versions.
- Project changed from 1716 to TYPO3 Core
- Tracker changed from Bug to Feature
- Status changed from New to Accepted
- Priority changed from Should have to Could have
- Target version set to 7.0
- PHP Version changed from 5.3 to 5.5
- Target version changed from 7.0 to 7.1 (Cleanup)
- Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
- Target version changed from 7.4 (Backend) to 7.5
- Target version changed from 7.5 to 8 LTS
- Status changed from Accepted to Closed
I think I can close this as solved with #35807
If you think that this is the wrong decision, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by