On ven, 2003-01-03 at 07:31, Erik Moeller wrote:
With our current system it is fairly trivial to reset
a user's password
against their will.
My understanding of the present system is:
1. Hit "send new password"
2. Software generates new random password, stores hash in
user_newpassword field and emails raw text in message to the user's
email address
3. When user logs in, check against both user_password and
user_newpassword hashes. If user_newpassword is a match, change
user_password to store the new password hash and clear user_newpassword,
thus making the mailed password the user's 'real' password.
4. With luck, the user changes their password to a new one.
So, to change another user's password against their will, you have to be
able to snarf the e-mail with the new password.
If it actually works differently, that's a bug. (I don't have time to
look at the code right now, gotta run...)
We don't even check the interval in which the
password is requested. I suggest we use Scoop's system of password
mailing:
I agree, but for a different reason - the current system could be used
to mailbomb someone.
-- brion vibber (brion @
pobox.com)