| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0000070 | SKGB-intern | neues-kennwort | public | 2006-03-21 00:25 | 2014-07-20 20:45 | ||||
| Reporter | aj | ||||||||
| Assigned To | aj | ||||||||
| Priority | normal | Severity | text | Reproducibility | always | ||||
| Status | resolved | Resolution | fixed | ||||||
| Projection | major rework | ETA | none | ||||||
| Platform | WWW | OS | iCab | OS Version | 3.0b | ||||
| Product Version | 1.1 | Product Build | |||||||
| Target Version | 1.2 | Fixed in Version | 1.2 | ||||||
| Summary | 0000070: Change wording to not suggest user failure on neues-kennwort | ||||||||
| Description | Currently the copy on neues-kennwort suggests that they forgot the pasword. This isn't very friendly. The text should simply offer to have a new password sent by email, period. | ||||||||
| Additional Information | index.php may have the same issue. Security Considerations: By knowing how the password will be delivered, a sophisticated attacker may be able to intercept it and claim the password using the pw-ticket before the legitimate owner does. Since there is no connection-level security before entering digest/, the entire system is vulnerable to a man-in-the-middle attack, possibly actually preventing the reception of the pw-ticket on the legitimate user's end. The RISK is considered to be low because interception of all emails to a legitimate user by an attack directed at the POP3/IMAP password (or in fact against the digest/ password itself) is easier and more effective. | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |