#461 Vulnerability - possible to remove account without verification

implemented
nobody
2015-10-08
2013-01-01
Beep6581
No

If one is logged into SourceForge, it is possible to remove the account without providing any verification that the person attempting to remove the account is the actual owner of the account. If someone leaves his terminal while logged into SF, then a malicious person could within a few seconds terminate that person's account.

Amusingly, to change the email address you do need to verify by providing a password, but not so for deleting the account.

Discussion

  • Anonymous - 2013-01-02
    • labels: --> engr, nf-5537
    • status: unread --> assigned
    • assigned_to: Chris Tsai
     
  • Anonymous - 2013-01-02

    Greetings,

    We're planning on a full rewrite of the Account Settings pages, when we do that re-write, we will be sure to add an additional password prompt when requesting an account deletion: [allura:tickets:#5537]

    Regards,
    Chris Tsai, SourceForge.net Support

     

    Related

    Apache Allura: Tickets: #5537

  • John Barrett

    John Barrett - 2015-10-07

    Hello,
    Durning a ticket review process I saw this ticket, so I apologize for the delay in my reply to this ticket. This seems more like a feature request than a support issue. I have move this from the support queue to the feature request area.
    Thanks
    SourceForge Support

     
    Last edit: John Barrett 2015-10-07
  • Dave Brondsema

    Dave Brondsema - 2015-10-08

    This was fixed some time ago.

     
  • Dave Brondsema

    Dave Brondsema - 2015-10-08
    • status: assigned --> implemented
    • Category: -->
     

Log in to post a comment.