Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-45

Password change process should require old password

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 2.4.104, 2.5.139-beta, 2.6.0
    • 3.0
    • Authentication & Authorization
    • None

    Description

      UserProfile.jsp does not require you to type in your old password to change the new password. This can be a problem if you inadvertently leave your computer open and someone gains access to it.

      I think the old password should probably be required to change the email address as well, or else it could be used to restore the backend.

      (From Ounce)

      Attachments

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. JSPWIKI-79 Ounce Labs Security Finding: Authentication - Change Password

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              jalkanen Janne Jalkanen
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: