Red Hat Bugzilla – Bug 1023586
CVE-2013-4471 OpenStack: python-django-horizonpassword reset vulnerability
Last modified: 2016-04-26 22:03:34 EDT
Rami Vaknin of Red Hat reports:
rhos 4.0 on rhel 6.5, puddle 2013-10-03.3
1. Login to horizon, you can choose any user, either admin or non-admin
2. Click on the Setting link on the right-up corner
3. Choose the Change Password vertical-tab
4. Enter a wrong "Current Password" value
5. Enter a new password in the New Password and New Password Confirm bixes
The password will be changed to the new one althought the old password is wrong.
Note that you're requested to provide a non-empty value in the Current Password box in order to proceed with the change password operation.
Yes, that's a known issue in a pre-release. It's already fixed in all python-django-horizon-2013.2-1 builds (and later).