Django

Code

Ticket #7723 (closed: fixed)

Opened 5 months ago

Last modified 4 months ago

DoS possible with django.contrib.auth.views.password_reset

Reported by: mafr Assigned to: lukeplant
Milestone: 1.0 Component: Authentication
Version: SVN Keywords:
Cc: Triage Stage: Design decision needed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

The password_reset view creates a new password overwriting the existing one. Any user who knows your email address can trigger this process as often as he likes. The effect is that you can't log into your account until you changed your password.

I think the existing password should remain valid even if a reset email has been triggered. The mail should contain a token that can be used to change the password; even if multiple password reset mails are sent, any token should be usable for password reset in a certain time window.

Attachments

Change History

07/11/08 16:57:39 changed by garcia_marc

  • needs_better_patch changed.
  • needs_docs changed.
  • stage changed from Unreviewed to Design decision needed.
  • needs_tests changed.
  • milestone set to post-1.0.

+1 on it

07/11/08 20:47:06 changed by julien

Note that a discussion has been going on on this topic at the dev-list [1]. Those wanting to write a patch should have a look there, there's plenty of good ideas for implementation.

[1] http://groups.google.com/group/django-developers/browse_thread/thread/d478dd9079bc448c/030e5cc02fbd2522?lnk=gst&q=salt#030e5cc02fbd2522

07/12/08 16:29:21 changed by gwilson

  • milestone changed from post-1.0 to 1.0.

Sounds like a bug to me, which makes it 1.0 material.

07/31/08 07:49:54 changed by lukeplant

  • owner set to lukeplant.

07/31/08 15:47:54 changed by lukeplant

  • status changed from new to closed.
  • resolution set to fixed.

(In [8162]) Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.

(follow-up: ↓ 7 ) 08/11/08 01:58:33 changed by omat@gezgin.com

wouldn't it be better not to use the plain user id in the url?

i don't see a security problem there but just a slight bad taste for revealing user ids.

(in reply to: ↑ 6 ) 08/11/08 08:39:20 changed by lukeplant

Replying to omat@gezgin.com:

wouldn't it be better not to use the plain user id in the url? i don't see a security problem there but just a slight bad taste for revealing user ids.

Well:

  • It's in base36, so it's not obviously anything at all. Even if they do know that it is a user id, what could they do with that information?
  • The only person who ever sees that URL is the user themselves -- it is never public.
  • The main problem with exposing ids is if you want to migrate your data to a different system in which the primary keys are different, because you are then stuck with supporting old URLs. But in this case, the URLs are intrinsically 'use once'.
  • What is your alternative? (I'm not saying there aren't any, just that they have more problems)

Add/Change #7723 (DoS possible with django.contrib.auth.views.password_reset)




Change Properties
Action