Last modified: 2012-04-12 13:55:58 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T29060, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 27060 - Users should be asked for their credentials when setting new email addresses
Users should be asked for their credentials when setting new email addresses
Status: RESOLVED DUPLICATE of bug 20185
Product: MediaWiki
Classification: Unclassified
User preferences (Other open bugs)
1.16.x
All All
: High enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-31 10:24 UTC by Liangent
Modified: 2012-04-12 13:55 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Liangent 2011-01-31 10:24:15 UTC 
I assume our check for old password in Special:Resetpass is for prevent the case that I change someone's password when I'm using his computer and he didn't log out his account.

However our allowance for setting a new email address without typing password again makes this check useless. Since I can change/set his email address to mine, and request a new password. In this way I can get his account without knowing his old password.
Comment 1 Mark A. Hershberger 2011-01-31 17:19:31 UTC 
Thanks for reporting this, it will probably be fixed after 1.17.
Comment 2 Liangent 2011-01-31 18:05:50 UTC 
Just a note for someone who implements this:

Some authentication extensions use special ways to check users' credentials, assign users invalid password hashes in MediaWiki database and call $user->setCookies() to log users in. In MediaWiki core, extensions should be asked whether they have their own methods to authenticate users.
Comment 3 Bawolff (Brian Wolff) 2011-02-03 04:23:25 UTC 
+1 for this being a good idea.

As it stands, I believe the worst case for an XSS vulnrability is to change the email and steal the account. Requiring a password would help mitigate this.

(Of course once you have an xss attack, the user is still pretty screwed regardless because you can still use js to vandalize in the users name, or present the user with a very convincing you need to re-login screen to steal their password, etc).
Comment 4 Alexandre Emsenhuber [IAlex] 2011-03-19 18:37:20 UTC 
*** Bug 20185 has been marked as a duplicate of this bug. ***
Comment 5 MZMcBride 2011-03-19 19:00:42 UTC 
This is duped the wrong way. Fixing.

*** This bug has been marked as a duplicate of bug 20185 ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links