0012534: When using LDAP, the "Reset Password" function should be disabled - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0012534	mantisbt	ldap	public	2010-11-16 07:22	2011-07-12 05:39

Reporter	dregad	Assigned To	dhx
Priority	low	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.1
Target Version	1.2.5	Fixed in Version	1.2.5

Summary	0012534: When using LDAP, the "Reset Password" function should be disabled
Description	This is correctly implemented in the "My Account" page, but in the manage_user_edit_page.php, the "Reset Password" button is available and sends a verification e-mail to the user.
Steps To Reproduce	Enable ldap Navigate to Manage / Manage Users Pick a user Click the "Reset Password" button <== this should not be possible
Tags	patch
Attached Files	0001-Fix-#10887:--Remove-"Reset-Password"-button-on-User-Edit-Page-when-using-LDAP.patch (2,710 bytes) From 880db3ad3cbc69a51ceda7796c519aa4d1dda299 Mon Sep 17 00:00:00 2001 From: Damien Regad <damien.regad@merckserono.net> Date: Tue, 16 Nov 2010 16:40:19 +0100 Subject: [PATCH] Fix #10887: Remove "Reset Password" button on User Edit Page when using LDAP With LDAP, Mantis is not controlling the password, so resetting it does not make sense (i.e. be consistent with behavior in My Account page) Also fixed potential XSS vulnerabilities due to unescaped variables in forms. --- manage_user_edit_page.php \| 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/manage_user_edit_page.php b/manage_user_edit_page.php index b0dd092..facf47d 100644 --- a/manage_user_edit_page.php +++ b/manage_user_edit_page.php @@ -177,24 +177,28 @@ <!-- RESET AND DELETE --> <div class="border center"> + <!-- Reset Button --> +<?php if( !$t_ldap ) { ?> <form method="post" action="manage_user_reset.php"> <?php echo form_security_field( 'manage_user_reset' ) ?> - <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> + <input type="hidden" name="user_id" value="<?php echo string_attribute( $t_user['id'] ) ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" /> </form> +<?php } ?> <!-- Delete Button --> <?php if ( !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) ) ) { ?> <form method="post" action="manage_user_delete.php"> <?php echo form_security_field( 'manage_user_delete' ) ?> - <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> + <input type="hidden" name="user_id" value="<?php echo string_attribute( $t_user['id'] ) ?>" /> <input type="submit" class="button" value="<?php echo lang_get( 'delete_user_button' ) ?>" /> </form> <?php } ?> </div> <br /> +<?php if( !$t_ldap ) { ?> <div align="center"> <?php if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) { @@ -204,6 +208,7 @@ } ?> </div> +<?php } ?> <!-- PROJECT ACCESS (if permissions allow) and user is not ADMINISTRATOR --> @@ -232,8 +237,8 @@ <form method="post" action="manage_user_proj_add.php"> <?php echo form_security_field( 'manage_user_proj_add' ) ?> - <input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" /> -<!-- Unassigend Project Selection --> + <input type="hidden" name="user_id" value="<?php echo string_attribute( $t_user['id'] ) ?>" /> +<!-- Unassigned Project Selection --> <tr <?php echo helper_alternate_class() ?> valign="top"> <td class="category"> <?php echo lang_get( 'unassigned_projects' ) ?>: -- 1.7.1 0001-Fix-#10887:--Remove-"Reset-Password"-button-on-User-Edit-Page-when-using-LDAP.patch (2,710 bytes)

dregad 2010-11-16 10:40 developer ~0027379	Patch for 1.2.x attached.

dhx 2010-11-19 10:26 reporter ~0027429	Thanks Damien. Just some comments: The 'id' field for a user is always an integer and therefore doesn't need escaping (as it won't contain bad characters). You're successfully removing the display of the reset password function but this needs to be carried across to both lost_pwd.php, lost_pwd_page.php and manage_user_reset.php It is important to prevent the password reset working both behind the scenes (the form landing pages) and at the frontend (turning off the UI controls related to password resetting). I guess it should be enough to produce an error message and quit when one of the landing pages is accessed with LDAP turned on.

dregad 2010-11-19 10:45 developer ~0027431	Thanks for the feedback. I'll have a look at your suggestions and upload a more comprehensive patch later (as time allows).

dregad 2010-11-23 06:16 developer ~0027454	Hi David, I need some guidance here. I do not understand why there should be specific code to check for a bypass of the front-end in manage_user_reset.php or lost_pwd.php; it seems to me, that we are already protected against this kind of cases, thanks to the use of the form_security_validate function Adding code seems like belt & braces to me... Am I missing something ? With regards to lost_pwd_page.php, code is already there (line 30), so we're covered: if ( LDAP == config_get_global( 'login_method' ) \|\| ...... ) { trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR ); } I look forward to your feedback. Damien

dhx 2010-12-14 06:18 reporter ~0027594	Thanks for the response (and apologies for this delayed reply). I do agree that the CSRF feature of MantisBT protects against malicious remote uses of manage_user_reset.php and lost_pwd.php. I'll have another look at this issue again shortly when I get around to committing my huge patch queue :)

dhx 2010-12-25 01:40 reporter ~0027693	Committed. Thanks Damien!