Praetorian discovered this vulnerability while examining the application’s user account management features. This feature does not require a user's current password to update their email address. This is shown in the figure below.
Ideally on Partner/Broker or company admin page, we should not able to update any field without asking old password. This password should not be sent to client side for verification.
- relates to
-
WT-1981 Localization for password authentication
-
- Closed
-
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Summary | Current password not required to change email | Old password not required to change email. It should mandatory. |
| Summary | Old password not required to change email. It should mandatory. | Old password not required to change email. Old password should be mandatory. |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
| Attachment | Status of Pwd Auth.xls [ 14400 ] |
Also check for Localization by login in 3 different languages
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Assigning to Zeeshan
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified as Old Password is required to change mail id
Zeeshan Chishty (Inactive)
added a comment - Verified as Old Password is required to change mail id Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Labels | Security |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Development(10200) |
| Item State | Parent values: Development(10200) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified on stage as Password is required to change mail id
Zeeshan Chishty (Inactive)
added a comment - Verified on stage as Password is required to change mail id Zeeshan Chishty (Inactive)
made changes -
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
Zeeshan Chishty (Inactive)
made changes -
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
Zeeshan Chishty (Inactive)
made changes -
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Vijayendra Shinde [ ID10506 ] |
| Developer | Niteen Surwase [ niteen.surwase ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Rakesh Roy [ rakeshr ] |
Please let us know for any functionality testing is needed other that Security testing on this.
| Assignee | Rakesh Roy [ rakeshr ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
Zeeshan Chishty Once you verify this from security perspective, assign to Deepali Tidke for functional verification.
Rakesh Roy we do not have production login and Production security testing is not recommended
Zeeshan Chishty (Inactive)
added a comment - Rakesh Roy we do not have production login and Production security testing is not recommended Old Password required for changing email confirmed on Production Server.
Zeeshan Chishty (Inactive)
added a comment - Old Password required for changing email confirmed on Production Server. Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Deepali Tidke [ deepalit ] |
| Assignee | Deepali Tidke [ deepalit ] | Kunal Kedari [ kunal.kedari ] |
Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket.
Kunal Kedari (Inactive)
added a comment - Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket. Kunal Kedari (Inactive)
made changes -
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
Kunal Kedari (Inactive)
made changes -
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production QA(10203)Level 1 values: In Testing(10218) |
Kunal Kedari (Inactive)
made changes -
| Item State | Parent values: Production QA(10203)Level 1 values: In Testing(10218) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
Kunal Kedari (Inactive)
made changes -
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
Kunal Kedari (Inactive)
made changes -
| Attachment | TestCases_PasswordRequiredToChangeEmail.xls [ 20745 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
7d 23h 43m | 1 |
|
5s | 1 |
|
3s | 1 |
|
1h 8m | 1 |
Zeeshan Chishty (Inactive)
made transition
-
|
33d 1h 21m | 1 |
|
44d 17h 54m | 1 |
Zeeshan Chishty (Inactive)
made transition
-
|
23h 26m | 1 |
Zeeshan Chishty (Inactive)
made transition
-
|
4s | 1 |
|
4d 6h 15m | 1 |
|
23m 27s | 1 |
Kunal Kedari (Inactive)
made transition
-
|
12d 15h 37m | 1 |
Kunal Kedari (Inactive)
made transition
-
|
43s | 1 |
*Page : *
Partner/Broker Users and Admin Users (Try with all level user login)
Description :
When Partner/Broker/Company Admin make changes in self or another Partner/Broker/Company Admin then pop-up displays. This pop-up asks for logged-in password. When user enters correct password then its make changes in user, otherwise, it shows wrong password message. For Super Admin login it is not showing Old password popup. It directly updates data.
Try with all user logins for Partner/Broker/Company Admin screens
For users scenario follow the attached excel-sheet!