Project

General

Profile

Actions

Defect #32192

closed

Do not allow to send a security notification when the user account is locked.

Added by Hinako Tajima about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Administration
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

I suggest that to add the function which if the account is locked, make disable to send security notifications.

アカウントがロック状態の場合はセキュリティメールの通知を無効にしてほしい。

Actions #1

Updated by Go MAEDA about 5 years ago

I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?

Actions #2

Updated by Hinako Tajima about 5 years ago

Go MAEDA wrote:

I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?

This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.

Actions #3

Updated by Go MAEDA about 5 years ago

  • Category set to Administration

Hinako Tajima wrote:

This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.

I have confirmed that the trunk behaves the same. I think the notification should be sent even to locked users in order to prevent a malicious admin from abusing.

If security notifications are not sent to a locked user, a malicious admin can stealthily change an active user's email address with the following steps:

1. Lock the user
2. Change the email address of the user
3. Unlock the user

To prevent such illegal operation, security notifications should be sent to locked users if their user account is updated.

Actions #4

Updated by Go MAEDA about 5 years ago

  • Subject changed from Do not allow to send a security mail when the user account is locked. to Do not allow to send a security notification when the user account is locked.
Actions #5

Updated by Mischa The Evil about 5 years ago

Go MAEDA wrote:

I think the notification should be sent even to locked users [...]

I agree.

Actions #6

Updated by Go MAEDA about 5 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

I am closing this as a "Wont fix" because the requested behavior change can be a security loophole.

Actions

Also available in: Atom PDF