Insecure password change function. Fixes #5538 #5550
Conversation
josegar74
commented
Mar 29, 2021
josegar74
commented
- Update API service to request the old password.
- Update the Administration UI to allow reset the password of the logged user. Administrators could also use the API service to reset the password of other users, but require to know the old user password, a bit unlikely. I don't see a reason for this as a user can reset his password or recover it.
josegar74
force-pushed
the
insecure_password_change_function
branch
from
e6a5ed7
to
e50e1e8
Compare
|
A script to add settings to the database is missing |
|
@pvgenuchten the change doesn't use any setting. Can you add the stacktrace? I just notice your UI is not updated, please check the wro4j cache. |
What Jo means is that when somebody walks to your screen, clicks change password and changes the password and can then use another machine to login with that password. For that case it is relevant also to provide the current password |
There was a problem hiding this comment.
LGTM but if there is no mail server available to use the recover my password then it will not be possible to reset a user password (it will require to go in the DB).
@archaeogeek what do you think about keeping the reset password for administrator users on all users if no mail server available (like https://github.com/geonetwork/core-geonetwork/blob/master/web-ui/src/main/resources/catalog/templates/signin.html#L98) ?
…work#5550) * Insecure password change function. Fixes geonetwork#5538 * Insecure password change function - unit tests. Fixes geonetwork#5538
|
@archaeogeek @josegar74 any ideas for a workaround for the issue "if there is no mail server available to use the recover my password then it will not be possible to reset a user password (it will require to go in the DB)." ? A number of users get stucked on this when they have no smtp server and no db access. |
|
@fxprunayre I missed your comment before, sorry. Yes, I think that keeping the password reset option for administrators if there is no smtp or database access is fine. |
|
@archaeogeek discussing with @josegar74 we were thinking adding a setting so we can turn this on or off. Is this fine for you? |
|
@fxprunayre personally I agree. It might not pass a really strict penetration test though, because if an admin account is compromised, this setting could be changed, which would bypass this whole security fix. |
|
Maybe we could have a setting which is not defined in database by default. So when setting up a catalogue, user can choose to add it: -- WARNING: Security / Add this settings only if you need to allow admin
-- users to be able to reset user password. If you have mail server configured
-- user can reset password directly. If not, then you may want to add that settings
-- if you don't have access to the database.
-- INSERT INTO Settings (name, value, datatype, position, internal)
-- VALUES ('system/security/password/allowAdminReset', 'false', 2, 12004, 'n');What do you think @archaeogeek @josegar74 ? |
|
@fxprunayre if we integrate this PR: #6161, I think we can add it with the default |
|
It is another level in between but if you know the API, you'll still be able to change the value ? |
A new settings allows administrator to reset local user password. This setting is not added to the database by default (for security reason - see #5550). Add it, only if you don't have mail server or if it is difficult to access to the database.
A new settings allows administrator to reset local user password. This setting is not added to the database by default (for security reason - see #5550). Add it, only if you don't have mail server or if it is difficult to access to the database.
A new settings allows administrator to reset local user password. This setting is not added to the database by default (for security reason - see #5550). Add it, only if you don't have mail server or if it is difficult to access to the database.
