[Savannah-help-public] [sr #107268] Verification of account email change

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #107268] Verification of account email change

From:	Matt McCutchen
Subject:	[Savannah-help-public] [sr #107268] Verification of account email changes is ineffective
Date:	Sat, 13 Feb 2010 22:44:37 +0000
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6

URL:
  <http://savannah.gnu.org/support/?107268>

                 Summary: Verification of account email changes is
ineffective
                 Project: Savannah Administration
            Submitted by: hashproduct
            Submitted on: Sat 13 Feb 2010 05:44:37 PM EST
                Category: Savannah website
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: 
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

When I change my account email address via the "My Account Conf" page,
Savannah sends a verification link to the new email address to make me prove
that I control it:


You have requested a change of email address on Savannah.
Please visit the following URL to complete the email change:

https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=confirm
-- the Savannah team.


But Savannah sends the same link to my old email address, except for a query
parameter at the end:


Someone, presumably you, has requested a change of email address on
Savannah.
If it wasn't you, maybe someone is trying to steal your account...

Your current address is address@hidden, the supposedly new
address
is address@hidden

If you did not request that change, please visit the following URL to
discard
the email change and report the problem to us:

https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=discard

-- the Savannah team.


So I can complete the verification without actually controlling the new
address!  Savannah should be changed to use different tokens in the two links.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107268>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-help-public] [sr #107268] Verification of account email changes is ineffective, Matt McCutchen <=
- [Savannah-help-public] [sr #107268] Verification of account email changes is ineffective, Sylvain Beucler, 2010/02/14
  - [Savannah-help-public] [sr #107268] Verification of account email changes is ineffective, Matt McCutchen, 2010/02/14

Prev by Date: Re: [Savannah-help-public] Re: Smart server for Emacs Bazaar repository
Next by Date: [Savannah-help-public] [sr #107055] XSRF
Previous by thread: [Savannah-help-public] [sr #107267] gnump3d has outdated links in software
Next by thread: [Savannah-help-public] [sr #107268] Verification of account email changes is ineffective
Index(es):
- Date
- Thread