Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Fixed
Priority: Major
Fix Version/s: 13.10.1, 14.0-rc-1
Affects Version/s: 13.8
Component/s: Security
Labels:
None

Tests:

Unit
Difficulty:
Unknown
Documentation:
https://extensions.xwiki.org/xwiki/bin/view/Extension/Authentication%20Security%20Module/#HResetpassword
Documentation in Release Notes:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/14.0RC1/Entry001/
Similar issues:

Description

The reset password form is burning verification codes very aggressively. A simple reload will burn the code and look like an error for users. The implementation notes suggest that this is done to avoid the possibility for brute force attacks. However it seems hard to brute force attack such a verification code which is only created on demand by the user and an alternative method would be to use a timeout for the validity of the code.

I suggest the following implementation:

1/ Set a timeout for validity of codes
2/ Burn the codes only once the process is fully done or the timeout is exceeded

An additional security measure would be to add the IP address of the user as an additional check but this has side effects which could make it fail (send code from mobile, change password on desktop).

Attachments

Issue Links

is duplicated by

XWIKI-21326 Microsoft "safe links" interfers with password reset feature.

Closed

relates to

XWIKI-21571 Change default value of the reset password token lifetime

Closed

Activity

People

Assignee:: Simon Urli

Reporter:: Ludovic Dubost

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/Oct/21 18:50

Updated:: 21/Mar/24 18:01

Resolved:: 03/Dec/21 12:07