Extensions can't fully block password changes
Closed, ResolvedPublic

Description

Special:PasswordReset can block password changes using the AbortLogin hook, and Special:ChangePassword can block password changes via $wgAuth->authenticate. The combination of these two approaches can work, but some extensions only implement one method or the other (and in some cases shouldn't implement both).

Lack of a consistent method for handling this leads to unexpected situations where a password can be changed, even though the extension author feels they are blocking it.

A hook should be added to Special:ChangePassword for this functionality.


Version: unspecified
Severity: normal

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz46590.
RyanLane created this task.Via LegacyMar 27 2013, 5:12 AM
RyanLane added a comment.Via ConduitMar 27 2013, 5:17 AM

Patch to add AbortChangePassword hook

Patch still needs proper testing. Submitting for feedback.

Attached: AbortChangePassword.patch

RyanLane added a comment.Via ConduitMar 27 2013, 4:07 PM

Updated and tested patch

One minor fix in patch. Has been tested and is working.

Attached: AbortChangePassword.patch

csteipp added a comment.Via ConduitMar 27 2013, 6:21 PM

Patch looks fine to me. I don't think the bug this fixes effects security (unless I'm missing something?), so I think we should make it public, put it in gerrit, and make sure other developers are on board with it.

csteipp added a comment.Via ConduitMar 27 2013, 8:58 PM

This bug does allow for two-factor authentication (OATHAuth) to be bypassed by doing a password reset, if the attacker also has access to the victim's email.

This doesn't affect the cluster, so no need to patch there, but we'll add this to the next security release.

csteipp added a comment.Via ConduitApr 30 2013, 4:01 PM

Created attachment 12210
patch for 1.19

Attached: 46590_119_git.patch

gerritbot added a comment.Via ConduitApr 30 2013, 8:17 PM

Related URL: https://gerrit.wikimedia.org/r/61631 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.Via ConduitApr 30 2013, 8:53 PM

Related URL: https://gerrit.wikimedia.org/r/61641 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.Via ConduitApr 30 2013, 8:58 PM

Related URL: https://gerrit.wikimedia.org/r/61644 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

gerritbot added a comment.Via ConduitMay 4 2013, 5:07 AM

Related URL: https://gerrit.wikimedia.org/r/62216 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment