This patch adds a field to the user table for storing an alternate password. When a password request is made, the alternate password is set instead of clobbering the existing password. This allows the user to discard the regenerated password e-mail, preserving the existing password.

This also prevents abuse whereby any anonymous user can repeatedly reset user passwords potentially entirely blocking access to a site, e.g. a curl shell script that repeatedly posts a password reset request for all accounts.

Iff the alternate password is used for authentication, the alternate password becomes the main password. If the main password is set (e.g. admin user form), the alternate password is unset.

The patch was made against DRUPAL-4-5-2.

Cheers!
Sean

CommentFileSizeAuthor
#2 pass_alt2.diff6.81 KBbrlcad
pass_alt.diff6.12 KBbrlcad

Comments

drumm’s picture

drumm
he/him
Location NY, US
commented

IMO the fix to this issue should remove sending the password alltogether. Instead store a unique hash code and then send a URL with that code which presents a page for entering the new password twice.

The same hash code system could be used for activating new accounts without sending a password in email.

brlcad’s picture

brlcad commented
StatusFileSize
new pass_alt2.diff6.81 KB

Ooops.. posted the wrong diff file. It's missing 4 lines from user_save() that md5's the pass_alt:

else if ($key == 'pass_alt') {
$query .= "$key = '%s', ";
$v[] = md5($value);
}

Attachment includes the update.

Agree with drumm that not sending the password altogether would be desireable. Regardless, the main point (and primary vulnerability) is to not reset the existing password until you are sure who is making that request.

dries’s picture

dries commented

I agree with Neil. I won't commit this patch and will await the proper solution. Note that no new functionality is added to the stable DRUPAL-4-5 branch: patches that implement new features should apply against CVS HEAD.

c.barber’s picture

c.barber commented

how do i use this diff file?

I have one member who insists on keep resetting my password

killes@www.drop.org’s picture

killes@www.drop.org commented

see http://drupal.org/node/18719

drumm’s picture

drumm
he/him
Location NY, US
commented

Can someone re-confirm that this is still an issue for Drupal 4.6 and HEAD? That code got changed recently.

Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)