Closed
Bug 1148994
Opened 9 years ago
Closed 9 years ago
You can request a change to your e-mail address without entering your current password, if password changes are disabled
Categories
(Bugzilla :: User Interface, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 670669
People
(Reporter: mail, Unassigned)
Details
If password changes are disabled, the code in userprefs.cgi that checks that a password is valid (line 81) is not run. The code the checks for a password when changing the e-mail address (line 107) does not check that a password is valid, and thus will work when any incorrect password is given. This isn't a major issue since the default cookie based system allows for both password and login name changes, but might affect some people using third party / cutom authentication schemes.
![]() |
Reporter | |
Updated•9 years ago
|
Summary: You change your e-mail address without entering your current password, if password changes are disabled → You can change your e-mail address without entering your current password, if password changes are disabled
![]() |
Reporter | |
Updated•9 years ago
|
Summary: You can change your e-mail address without entering your current password, if password changes are disabled → You can request a change to your e-mail address without entering your current password, if password changes are disabled
![]() |
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
![]() |
||
Updated•9 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•