Description
Description
Suspended a nick. a person was able to reset the password. Was able to change the password, confirm, and forcefully identify Nick who was suspended.
Steps to reproduce the issue:
- set up a test account
- suspended the test account
- Change the password for the test account.
Describe the results you received:
The password was able to change and forcefully identify to account. The user was able to drop the nick (while still showing suspended) and able to re-register the account, thus removing the suspension completely.
Describe the results you expected:
The user shouldn't be able to receive an email to change the password while the account is suspended.
Additional information you deem important (e.g. issue happens only occasionally):
I tried this on two networks that have anope set up. It occurred on both networks.
Output of services --version:
Notice- {from ChanServ} VERSION Anope-2.0.12 services.technet.chat :UnrealIRCd 4+ - (enc_sha256) -- build #8, compiled 01:33:11 Jul 29 2023
and
Notice- {from ChanServ} VERSION Anope-2.0.9 services.freenode.net :InspIRCd 3 - (enc_sha256) -- build #19, compiled 01:56:18 Apr 20 2022, flags D
Notice- {from ChanServ} VERSION Anope-2.0.10 services.irc-nerds.net :UnrealIRCd 4+ - (enc_sha256) -- build #14, compiled 07:41:07 Oct 28 2021