Bug 761526

Summary: Password reset link can be used more than once
Product: Red Hat Satellite Reporter: Jeff Weiss <jweiss>
Component: WebUIAssignee: Brad Buckingham <bbuckingham>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: bbuckingham, bkearney, dajohnso, kseifried, omaciel
Target Milestone: UnspecifiedKeywords: Security, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:11:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 771333, 786160    
Bug Blocks: 747354, 836071    

Description Jeff Weiss 2011-12-08 14:40:12 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
0.1.111-1

How reproducible:


Steps to Reproduce:
1. Create a user account user1/password1 with an email address you can access
2. Log out
3. Click "Forgot password"
4. Fill out username/email to reset password
5. Retrive email, click the link.
6. Reset password
7. Click the link again
  
Actual results:
Allowed to reset password again

Expected results:
UI should display error like "This link has expired.  Please use the password reset form on the login page if you need to reset your password".

Additional info:
Comment 1 Jeff Weiss 2011-12-08 14:43:47 UTC 
In fact, it would be even more secure if the link was invalidated the instant it is accessed (rather than only after the form is submitted).  I think a sniffer could access the URL - if he races to fill out the form first, he would "beat" the legitimate user.  But he could not access the url first - by the time he sniffs it, the legit user already beat him to it.

I guess you'd have to create a cookie or something for the first access.
Comment 2 Og Maciel 2011-12-12 21:06:23 UTC 
I was able to reproduce it under katello-0.1.130-1.git.0.216c0d8.el6.x86_64
Comment 3 Brad Buckingham 2011-12-13 20:33:39 UTC 
git commit : 3461becab18a3cc79054d4e9d7f1f07d41170089

Updated logic to reset the token as part of updating the password.  As a result, the token may only be used for updating the password 1 time.
Comment 4 Jeff Weiss 2012-01-03 11:41:46 UTC 
Blocked
Comment 5 Mike McCune 2012-01-26 19:06:53 UTC 
mass ON_QA move
Comment 7 Jeff Weiss 2012-02-09 21:21:14 UTC 
Verified, katello-0.1.229-1.git.0.f2ad9e2.el6.noarch
Comment 8 Kurt Seifried 2012-04-03 01:16:12 UTC 
Can this bug now be closed? katello-0.1.307-1.el6.src.rpm
Comment 11 Mike McCune 2013-08-16 18:21:06 UTC 
getting rid of 6.0.0 version since that doesn't exist