[zanata-bugs] [Bug 750104] New: Old email validation links don't expire
bugzilla at redhat.com
bugzilla at redhat.com
Mon Oct 31 01:12:08 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: Old email validation links don't expire
https://bugzilla.redhat.com/show_bug.cgi?id=750104
Summary: Old email validation links don't expire
Product: Zanata
Version: 1.4.2
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: unspecified
Priority: unspecified
Component: Security
AssignedTo: runab at redhat.com
ReportedBy: damason at redhat.com
QAContact: dchen at redhat.com
CC: zanata-bugs at redhat.com
Group: redhat, private
Estimated Hours: 0.0
Classification: Community
Story Points: ---
Type: ---
Description of problem:
Clicking an old email validation link changes the user's email address even
when the link has already been used and the email address has been subsequently
changed.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1.Sign in, navigate to 'My Profile' page
2.Click 'Edit Profile' and enter a different email address that you can check
3.Repeat step 2 with a different email address
4.Open the second validation email and click the validation link
5.Check in 'Edit Profile' page that email address has changed
6.Open the first validation email and click the validation link
7.Check in 'Edit Profile' page that email address has changed
Steps 4-7 can be repeated any number of times with the same results
Actual results:
Email address *always* changes to the address for which the validation link was
generated.
Expected results:
- Only the most recent validation link changes email address, navigation to
other validation links shows an expiry message.
- An 'already validated' message is shown if the most recent validation link
is used more than once.
Additional info:
If someone's account is compromised once, a validation link can be generated
that can be used forever to change the user's email address to the hacker's
email address. This could then be used to reset the password (I think only for
auto authentication).
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the zanata-bugs
mailing list