View Issue Details

IDProjectCategoryView StatusLast Update
0004140SOGoWeb Generalpublic2020-07-27 10:21
Reporterskrupellos Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.2.8 
Fixed in Version5.0.0 
Summary0004140: Changing password should require the old password.
Description

If a user want's to change their password, they should be asked about their old password (like on most sites in the web or passwd on Linux).

This prevents quick changes of the password by someone who has access to an unsecured laptop for a few seconds.

The damage can be bigger than just deleting all your E-Mails (I hope the admin makes backups xD), since the password can also be used for other services besides SOGo.

TagsNo tags attached.

Activities

pruje

pruje

2018-06-13 02:44

reporter   ~0012917

I confirm this, I was about to open the same issue.
This is a serious security issue.

I confirm this issue is still there in SOGo 4.0.
Please fix this, guys! Thanks

mrf

mrf

2020-07-21 16:16

reporter   ~0014562

Is there still no update regarding this major security issue after 3 years now?
In combination with other vulnerabilities, such as XSS or CSRF, this could lead to account takeover attacks.

the_nic

the_nic

2020-07-24 06:42

reporter   ~0014573

feel free to test/review: https://github.com/inverse-inc/sogo/pull/285 :-)

Related Changesets

sogo: master 2300fe8a

2020-07-27 10:12:22

nfabre


Committer: GitHub Details Diff
fix(core): Require current password on password change (0000285)

Increase security by requiring the current password when changing the
password. This increases the security for cases such as XSS, or just a
forgotten browser window left open.

Fixes 0004140
Affected Issues
0004140
mod - UI/MainUI/SOGoRootPage.m Diff File
mod - UI/PreferencesUI/English.lproj/Localizable.strings Diff File
mod - UI/PreferencesUI/German.lproj/Localizable.strings Diff File
mod - UI/Templates/PreferencesUI/UIxPreferences.wox Diff File
mod - UI/WebServerResources/js/Common/Authentication.service.js Diff File
mod - UI/WebServerResources/js/Preferences/PreferencesController.js Diff File

Issue History

Date Modified Username Field Change
2017-04-09 12:42 skrupellos New Issue
2018-06-13 02:44 pruje Note Added: 0012917
2020-07-21 16:16 mrf Note Added: 0014562
2020-07-24 06:42 the_nic Note Added: 0014573
2020-07-27 10:12 nfabre Changeset attached => sogo master 2300fe8a
2020-07-27 10:21 francis Status new => resolved
2020-07-27 10:21 francis Resolution open => fixed
2020-07-27 10:21 francis Fixed in Version => 5.0.0