Bug 1016647 - User can change his password without knowing his current password
User can change his password without knowing his current password
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon (Show other bugs)
4.0
Unspecified Unspecified
high Severity high
: beta
: 4.0
Assigned To: Matthias Runge
Nir Magnezi
: Security, SecurityTracking, Triaged
Depends On:
Blocks: CVE-2013-4471
  Show dependency treegraph
 
Reported: 2013-10-08 09:19 EDT by Rami Vaknin
Modified: 2013-12-19 19:26 EST (History)
8 users (show)

See Also:
Fixed In Version: python-django-horizon-2013.2-0.15.rc2.el6ost
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-19 19:26:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1237989 None None None Never

  None (edit)
Description Rami Vaknin 2013-10-08 09:19:42 EDT
Version
=======
rhos 4.0 on rhel 6.5, puddle 2013-10-03.3

Description
===========

Scenario:

1. Login to horizon, you can choose any user, either admin or non-admin
2. Click on the Setting link on the right-up corner
3. Choose the Change Password vertical-tab
4. Enter a wrong "Current Password" value
5. Enter a new password in the New Password and New Password Confirm bixes

The password will be changed to the new one althought the old password is wrong.

Note that you're requested to provide a non-empty value in the Current Password box in order to proceed with the change password operation.
Comment 2 Kurt Seifried 2013-10-09 01:24:18 EDT
(In reply to Rami Vaknin from comment #0)
> Version
> =======
> rhos 4.0 on rhel 6.5, puddle 2013-10-03.3
> 
> Description
> ===========
> 
> Scenario:
> 
> 1. Login to horizon, you can choose any user, either admin or non-admin
> 2. Click on the Setting link on the right-up corner
> 3. Choose the Change Password vertical-tab
> 4. Enter a wrong "Current Password" value
> 5. Enter a new password in the New Password and New Password Confirm bixes
> 
> The password will be changed to the new one althought the old password is
> wrong.
> 
> Note that you're requested to provide a non-empty value in the Current
> Password box in order to proceed with the change password operation.

Do you know if this also affects upstream as well? If unknown that's ok.
Comment 3 Rami Vaknin 2013-10-09 01:55:58 EDT
(In reply to Kurt Seifried from comment #2)
> (In reply to Rami Vaknin from comment #0)
> > Version
> > =======
> > rhos 4.0 on rhel 6.5, puddle 2013-10-03.3
> > 
> > Description
> > ===========
> > 
> > Scenario:
> > 
> > 1. Login to horizon, you can choose any user, either admin or non-admin
> > 2. Click on the Setting link on the right-up corner
> > 3. Choose the Change Password vertical-tab
> > 4. Enter a wrong "Current Password" value
> > 5. Enter a new password in the New Password and New Password Confirm bixes
> > 
> > The password will be changed to the new one althought the old password is
> > wrong.
> > 
> > Note that you're requested to provide a non-empty value in the Current
> > Password box in order to proceed with the change password operation.
> 
> Do you know if this also affects upstream as well? If unknown that's ok.

Sorry but I don't know, I have no upstream version in hands ATM.
Comment 4 Matthias Runge 2013-10-09 02:54:55 EDT
Also affects upstream version!
Comment 6 Alan Pevec 2013-10-15 15:23:45 EDT
tl;dr from upstream bug:
* fix in Horizon was to disable change password functionality on keystone v3
* Keystone server fix is to make default policy more restrictive and require adminess to change password in v3
* Identity v3 gap will be closed in Icehouse with API allowing update_own_password functionality from v2
Comment 12 Nir Magnezi 2013-10-24 07:05:36 EDT
Verified NVR: python-django-horizon-2013.2-0.15.rc2.el6ost.noarch

Followed the steps in Comment #0 both for admin and non-admin users.
The option for a user to change his own password is now disabled, and hence not present at the UI.
Comment 13 Kurt Seifried 2013-10-25 16:19:20 EDT
However the previous version we shipped, as well as upstream allowed this password change in past without verifying the password, correct?
Comment 14 Matthias Runge 2013-10-28 04:29:19 EDT
Kurt, we didn't ship that version, as it's a pre-release.
In earlier, i.e. Grizzly installs, Horizon didn't support keystone v3, and only keystone v3 is affected with this issue.

From the launchpad bug:
For the OSSN crew:
We need to warn Grizzly users that they may not be as secure as they think with the Grizzly default for "user_update" policy and should consider changing it to "admin_required".

This affects keystone in grizzly(2013.1.x); havana (2013.2.x) is not affected.
Comment 15 Julie Pichon 2013-10-29 09:44:16 EDT
An effort at documenting this for the release notes was made in bug 1021877.
Comment 17 errata-xmlrpc 2013-12-19 19:26:26 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.