SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004140SOGoWeb Generalpublic2017-04-09 12:422018-06-13 02:44
Reporterskrupellos 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version3.2.8 
Target VersionFixed in Version 
Summary0004140: Changing password should require the old password.
DescriptionIf a user want's to change their password, they should be asked about their old password (like on most sites in the web or passwd on Linux).

This prevents quick changes of the password by someone who has access to an unsecured laptop for a few seconds.

The damage can be bigger than just deleting all your E-Mails (I hope the admin makes backups xD), since the password can also be used for other services besides SOGo.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0012917)
pruje (reporter)
2018-06-13 02:44

I confirm this, I was about to open the same issue.
This is a serious security issue.

I confirm this issue is still there in SOGo 4.0.
Please fix this, guys! Thanks

- Issue History
Date Modified Username Field Change
2017-04-09 12:42 skrupellos New Issue
2018-06-13 02:44 pruje Note Added: 0012917


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker