View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000284 | Main CAcert Website | account administration | public | 2006-08-08 08:07 | 2013-01-14 10:47 |
| Reporter | Sourcerer | Assigned To | duane | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000284: move the LostPassphrase answers (+questions) to an additional page | ||||
| Description | so that the main page does not show those private details. It is only seldomly necessary to view the answers for the sysadmin, so we should only disclose that peronal data to the sysadmin when she needs to see it. Additionally we can track the viewing of the data this way through the apache logfiles. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| related to | 0000408 | confirmed | Improve the 5 QA warning message sent to the user on 5 QA set access |
|
|
Logging using apache logfiles only works for GET requests. We need to make sure that it is not possible to access the site using POST-passed parameters. |
|
|
We changed it to open it on a click on the same page. |
|
|
Why didn't you implement/secure the tracking/logging? For an exploit create an html file containing <form method="post" action="https://www.cacert.org/account.php?id=43&userid=2583"> <input type="hidden" name="showlostpw" value="yes"> <input type="submit" value="go"> </form> and click on "go". showlostpw doesn't show up in the GET string so you'll never know that someone accessed the lost password questions/answers. |
|
|
Changed $_REQUEST to $_GET... |
|
|
Thanks. Make sure to put a comment line next to this $_GET for that you'll never change this back to $_REQUEST :) |
|
|
Also a great improvement for a more readable page ! |
|
|
<? // This is intensionally a $_GET for audit purposes. DO NOT CHANGE!!! if($_GET['showlostpw'] != "yes") { ?> |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-08-08 08:07 | Sourcerer | New Issue | |
| 2006-08-08 08:07 | Sourcerer | Status | new => needs work |
| 2006-08-08 08:07 | Sourcerer | Assigned To | => duane |
| 2006-08-08 08:31 |
|
Note Added: 0000339 | |
| 2006-08-08 08:46 | Sourcerer | Status | needs work => closed |
| 2006-08-08 08:46 | Sourcerer | Note Added: 0000340 | |
| 2006-08-08 08:46 | Sourcerer | Resolution | open => fixed |
| 2006-08-08 08:46 | Sourcerer | Fixed in Version | => production |
| 2006-08-08 09:03 |
|
Note Added: 0000343 | |
| 2006-08-08 09:06 | duane | Note Added: 0000344 | |
| 2006-08-08 09:11 |
|
Note Added: 0000347 | |
| 2006-08-10 07:53 | homer | Note Added: 0000356 | |
| 2006-08-10 08:09 | duane | Note Added: 0000357 | |
| 2007-02-04 21:46 | homer | Relationship added | related to 0000408 |
| 2013-01-14 10:47 | Werner Dworak | Fixed in Version | => 2006 |
