 |
|
Hi,
BulkResetPassword says "The TWikiAdminGroup can use BulkResetPassword to reset any number of passwords." This is literally true (any), but misleading.
The distributed TWiki has
Did you try to bulk reset passwords without being an admin? As far as I could see from the code it is hardcoded to only accept bulk resets from an admin. The reset password feature for admins only (single user reset) would be a bit like going back to Cairo and how it worked there. The feature was added so the admin is not disturbed several times per day with password reset requests. The consequences of an attacker resetting some passwords is in reality only that the users all get a new random password. It is annoying but does not really give the attacker any visible advantage which is probably why such attacks are not commonly known. They are simply not funny or beneficial to do. If the admin is away for a few days you end up with users that have to wait to get access again. I think that is a bigger disadvantage. KJL
- #Set ALLOWTOPICVIEW = TWikiAdminGroup
resetpasswd CGI-bin that counts. Its URL scheme is public, see %TWIKIWEB%.TWikiScripts (and anybody can download the source); I've been able to handcraft a URL to reset some other user's password.
Some configurable way to enforce acces control to both ResetPassword and BulkResetPassword would be a valuable enhancement. Configurable because not every installation may need this restriction.
Both restrictions should be identical. Bulk is by no means more sensitive that the normal reset. Any attacker can send a hundred requests to reset a hundred users.
TWikiAdminGroup looks like the right candidate for the users allowed to reset other users passwords -- again under some configuration. Other configurations are concievable were anybody can do anything.
Maybe a better place for this item would be in TWiki:TWiki/ResetPasswortDiscussion?
Regards, TWiki:Main/JoergHoehle
Did you try to bulk reset passwords without being an admin? As far as I could see from the code it is hardcoded to only accept bulk resets from an admin. The reset password feature for admins only (single user reset) would be a bit like going back to Cairo and how it worked there. The feature was added so the admin is not disturbed several times per day with password reset requests. The consequences of an attacker resetting some passwords is in reality only that the users all get a new random password. It is annoying but does not really give the attacker any visible advantage which is probably why such attacks are not commonly known. They are simply not funny or beneficial to do. If the admin is away for a few days you end up with users that have to wait to get access again. I think that is a bigger disadvantage. KJL
ItemTemplate edit
| Summary | (bulk)ResetPassword restrictions? |
| ReportedBy | TWiki:Main.JoergHoehle |
| Codebase | |
| SVN Range | Wed, 12 Jul 2006 build 11001 |
| AppliesTo | Engine |
| Component | FoswikiUIPasswords |
| Priority | Enhancement |
| CurrentState | No Action Required |
| WaitingFor | |
| Checkins | |
| TargetRelease | n/a |
| ReleasedIn | n/a |
| CheckinsOnBranches | |
| trunkCheckins | |
| masterCheckins | |
| ItemBranchCheckins | |
| Release01x01Checkins |
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 04 Jan 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy