[ST-91] Old password not required to change email. Old password should be mandatory. - Workterra Jira

Details

Type: Enhancement
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed

Description

Praetorian discovered this vulnerability while examining the application’s user account management features. This feature does not require a user's current password to update their email address. This is shown in the figure below.

Ideally on Partner/Broker or company admin page, we should not able to update any field without asking old password. This password should not be sent to client side for verification.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Status of Pwd Auth.xls
9 kB
23/Mar/16 10:35 AM
TestCases_PasswordRequiredToChangeEmail.xls
10 kB
28/Jun/16 07:03 AM

Issue Links

relates to

WT-1981 Localization for password authentication

Closed

Activity

Descending order - Click to sort in ascending order

Hide

Permalink

Kunal Kedari (Inactive) added a comment - 27/Jun/16 04:26 AM

Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket.

Show

Kunal Kedari (Inactive) added a comment - 27/Jun/16 04:26 AM Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket.

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 23/Jun/16 06:14 AM

Old Password required for changing email confirmed on Production Server.

Show

Zeeshan Chishty (Inactive) added a comment - 23/Jun/16 06:14 AM Old Password required for changing email confirmed on Production Server.

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 16/Jun/16 07:35 AM

Rakesh Roy we do not have production login and Production security testing is not recommended

Show

Zeeshan Chishty (Inactive) added a comment - 16/Jun/16 07:35 AM Rakesh Roy we do not have production login and Production security testing is not recommended

Hide

Permalink

Rakesh Roy (Inactive) added a comment - 14/Jun/16 01:02 PM

Zeeshan Chishty Once you verify this from security perspective, assign to Deepali Tidke for functional verification.

Show

Rakesh Roy (Inactive) added a comment - 14/Jun/16 01:02 PM Zeeshan Chishty Once you verify this from security perspective, assign to Deepali Tidke for functional verification.

Hide

Permalink

Rakesh Roy (Inactive) added a comment - 14/Jun/16 12:49 PM

Please let us know for any functionality testing is needed other that Security testing on this.

Show

Rakesh Roy (Inactive) added a comment - 14/Jun/16 12:49 PM Please let us know for any functionality testing is needed other that Security testing on this.

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 10/Jun/16 06:10 AM

Verified on stage as Password is required to change mail id

Show

Zeeshan Chishty (Inactive) added a comment - 10/Jun/16 06:10 AM Verified on stage as Password is required to change mail id

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 25/Apr/16 12:49 PM

Verified as Old Password is required to change mail id

Show

Zeeshan Chishty (Inactive) added a comment - 25/Apr/16 12:49 PM Verified as Old Password is required to change mail id

Hide

Permalink

Amit Gude (Inactive) added a comment - 20/Apr/16 09:03 AM

Assigning to Zeeshan

Show

Amit Gude (Inactive) added a comment - 20/Apr/16 09:03 AM Assigning to Zeeshan

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 23/Mar/16 11:18 AM

Also check for Localization by login in 3 different languages

Show

Niteen Surwase (Inactive) added a comment - 23/Mar/16 11:18 AM Also check for Localization by login in 3 different languages

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 23/Mar/16 10:31 AM

*Page : *
Partner/Broker Users and Admin Users (Try with all level user login)

Description :
When Partner/Broker/Company Admin make changes in self or another Partner/Broker/Company Admin then pop-up displays. This pop-up asks for logged-in password. When user enters correct password then its make changes in user, otherwise, it shows wrong password message. For Super Admin login it is not showing Old password popup. It directly updates data.
Try with all user logins for Partner/Broker/Company Admin screens

For users scenario follow the attached excel-sheet!

Show

Niteen Surwase (Inactive) added a comment - 23/Mar/16 10:31 AM *Page : * Partner/Broker Users and Admin Users (Try with all level user login) Description : When Partner/Broker/Company Admin make changes in self or another Partner/Broker/Company Admin then pop-up displays. This pop-up asks for logged-in password. When user enters correct password then its make changes in user, otherwise, it shows wrong password message. For Super Admin login it is not showing Old password popup. It directly updates data. Try with all user logins for Partner/Broker/Company Admin screens For users scenario follow the attached excel-sheet!

People

Assignee:: Kunal Kedari (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Niteen Surwase (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 15/Mar/16 10:36 AM

Updated:: 28/Jun/16 07:03 AM

Resolved:: 27/Jun/16 04:26 AM