761526 – Password reset link can be used more than once

Bug 761526 - Password reset link can be used more than once

Summary: Password reset link can be used more than once

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	6.0.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Brad Buckingham
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:	771333 786160
Blocks:	katello-blockers 836071
TreeView+	depends on / blocked

Reported:	2011-12-08 14:40 UTC by Jeff Weiss
Modified:	2019-09-26 13:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 18:11:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	786160	0	unspecified	CLOSED	Password reset email fails silently with traceback in delayed_job	2021-02-22 00:41:40 UTC

Internal Links: 786160

Description Jeff Weiss 2011-12-08 14:40:12 UTC

Description of problem:


Version-Release number of selected component (if applicable):
0.1.111-1

How reproducible:


Steps to Reproduce:
1. Create a user account user1/password1 with an email address you can access
2. Log out
3. Click "Forgot password"
4. Fill out username/email to reset password
5. Retrive email, click the link.
6. Reset password
7. Click the link again
  
Actual results:
Allowed to reset password again

Expected results:
UI should display error like "This link has expired.  Please use the password reset form on the login page if you need to reset your password".

Additional info:

Comment 1 Jeff Weiss 2011-12-08 14:43:47 UTC

In fact, it would be even more secure if the link was invalidated the instant it is accessed (rather than only after the form is submitted).  I think a sniffer could access the URL - if he races to fill out the form first, he would "beat" the legitimate user.  But he could not access the url first - by the time he sniffs it, the legit user already beat him to it.

I guess you'd have to create a cookie or something for the first access.

Comment 2 Og Maciel 2011-12-12 21:06:23 UTC

I was able to reproduce it under katello-0.1.130-1.git.0.216c0d8.el6.x86_64

Comment 3 Brad Buckingham 2011-12-13 20:33:39 UTC

git commit : 3461becab18a3cc79054d4e9d7f1f07d41170089

Updated logic to reset the token as part of updating the password.  As a result, the token may only be used for updating the password 1 time.

Comment 4 Jeff Weiss 2012-01-03 11:41:46 UTC

Blocked

Comment 5 Mike McCune 2012-01-26 19:06:53 UTC

mass ON_QA move

Comment 7 Jeff Weiss 2012-02-09 21:21:14 UTC

Verified, katello-0.1.229-1.git.0.f2ad9e2.el6.noarch

Comment 8 Kurt Seifried 2012-04-03 01:16:12 UTC

Can this bug now be closed? katello-0.1.307-1.el6.src.rpm

Comment 11 Mike McCune 2013-08-16 18:21:06 UTC

getting rid of 6.0.0 version since that doesn't exist

Note You need to log in before you can comment on or make changes to this bug.