Diffusion roundcubemail 6fa2bddc59b9

Fix bug where a password could get changed without providing the old password
6fa2bddc59b9
Actions

Project Tags

None

Referenced Files

None

Subscribers

None

Description

Fix bug where a password could get changed without providing the old password

The password plugin uses loose comparison, leading to a type juggling vulnerability that
allows password changes without knowing the old password in specific cases.

Reported by flydragon777

Details

Provenance

machniak	Authored on Tue, Mar 17, 2:18 PM
mollekopf	Pushed on Wed, Mar 18, 2:18 PM

Parents

R113:a4ead994d2f0: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache…

Branches

Unknown

Tags

Unknown

Build Status

Buildable 57195

Event Timeline

machniak committed R113:6fa2bddc59b9: Fix bug where a password could get changed without providing the old password (authored by machniak).Wed, Mar 18, 10:19 AM

Harbormaster completed building B57195: R113:6fa2bddc59b9: Fix bug where a password could get changed without providing the old password.Wed, Mar 18, 2:18 PM

Changes (2)

Path

Size

CHANGELOG.md

plugins/

password/

password.php

R113:6fa2bddc59b9

View Options

CHANGELOG.md

View Options

plugins/password/password.php

Fix bug where a password could get changed without providing the old password6fa2bddc59b9Actions

Description

Details

Event Timeline

Changes (2)

R113:6fa2bddc59b9

CHANGELOG.md

plugins/password/password.php

Fix bug where a password could get changed without providing the old password
6fa2bddc59b9
Actions