Bug 1016647

Summary: User can change his password without knowing his current password
Product: Red Hat OpenStack Reporter: Rami Vaknin <rvaknin>
Component: python-django-horizonAssignee: Matthias Runge <mrunge>
Status: CLOSED ERRATA QA Contact: Nir Magnezi <nmagnezi>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: aortega, hateya, jpichon, mrunge, oblaut, rvaknin, sclewis, yeylon
Target Milestone: betaKeywords: Security, SecurityTracking, Triaged
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-django-horizon-2013.2-0.15.rc2.el6ost Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-20 00:26:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1023586    

Description Rami Vaknin 2013-10-08 13:19:42 UTC 
Version
=======
rhos 4.0 on rhel 6.5, puddle 2013-10-03.3

Description
===========

Scenario:

1. Login to horizon, you can choose any user, either admin or non-admin
2. Click on the Setting link on the right-up corner
3. Choose the Change Password vertical-tab
4. Enter a wrong "Current Password" value
5. Enter a new password in the New Password and New Password Confirm bixes

The password will be changed to the new one althought the old password is wrong.

Note that you're requested to provide a non-empty value in the Current Password box in order to proceed with the change password operation.
Comment 2 Kurt Seifried 2013-10-09 05:24:18 UTC 
(In reply to Rami Vaknin from comment #0)
> Version
> =======
> rhos 4.0 on rhel 6.5, puddle 2013-10-03.3
> 
> Description
> ===========
> 
> Scenario:
> 
> 1. Login to horizon, you can choose any user, either admin or non-admin
> 2. Click on the Setting link on the right-up corner
> 3. Choose the Change Password vertical-tab
> 4. Enter a wrong "Current Password" value
> 5. Enter a new password in the New Password and New Password Confirm bixes
> 
> The password will be changed to the new one althought the old password is
> wrong.
> 
> Note that you're requested to provide a non-empty value in the Current
> Password box in order to proceed with the change password operation.

Do you know if this also affects upstream as well? If unknown that's ok.
Comment 3 Rami Vaknin 2013-10-09 05:55:58 UTC 
(In reply to Kurt Seifried from comment #2)
> (In reply to Rami Vaknin from comment #0)
> > Version
> > =======
> > rhos 4.0 on rhel 6.5, puddle 2013-10-03.3
> > 
> > Description
> > ===========
> > 
> > Scenario:
> > 
> > 1. Login to horizon, you can choose any user, either admin or non-admin
> > 2. Click on the Setting link on the right-up corner
> > 3. Choose the Change Password vertical-tab
> > 4. Enter a wrong "Current Password" value
> > 5. Enter a new password in the New Password and New Password Confirm bixes
> > 
> > The password will be changed to the new one althought the old password is
> > wrong.
> > 
> > Note that you're requested to provide a non-empty value in the Current
> > Password box in order to proceed with the change password operation.
> 
> Do you know if this also affects upstream as well? If unknown that's ok.

Sorry but I don't know, I have no upstream version in hands ATM.
Comment 4 Matthias Runge 2013-10-09 06:54:55 UTC 
Also affects upstream version!
Comment 6 Alan Pevec 2013-10-15 19:23:45 UTC 
tl;dr from upstream bug:
* fix in Horizon was to disable change password functionality on keystone v3
* Keystone server fix is to make default policy more restrictive and require adminess to change password in v3
* Identity v3 gap will be closed in Icehouse with API allowing update_own_password functionality from v2
Comment 12 Nir Magnezi 2013-10-24 11:05:36 UTC 
Verified NVR: python-django-horizon-2013.2-0.15.rc2.el6ost.noarch

Followed the steps in Comment #0 both for admin and non-admin users.
The option for a user to change his own password is now disabled, and hence not present at the UI.
Comment 13 Kurt Seifried 2013-10-25 20:19:20 UTC 
However the previous version we shipped, as well as upstream allowed this password change in past without verifying the password, correct?
Comment 14 Matthias Runge 2013-10-28 08:29:19 UTC 
Kurt, we didn't ship that version, as it's a pre-release.
In earlier, i.e. Grizzly installs, Horizon didn't support keystone v3, and only keystone v3 is affected with this issue.

From the launchpad bug:
For the OSSN crew:
We need to warn Grizzly users that they may not be as secure as they think with the Grizzly default for "user_update" policy and should consider changing it to "admin_required".

This affects keystone in grizzly(2013.1.x); havana (2013.2.x) is not affected.
Comment 15 Julie Pichon 2013-10-29 13:44:16 UTC 
An effort at documenting this for the release notes was made in bug 1021877.
Comment 17 errata-xmlrpc 2013-12-20 00:26:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html