Last modified: 2013-05-04 05:07:51 UTC
Special:PasswordReset can block password changes using the AbortLogin hook, and Special:ChangePassword can block password changes via $wgAuth->authenticate. The combination of these two approaches can work, but some extensions only implement one method or the other (and in some cases shouldn't implement both). Lack of a consistent method for handling this leads to unexpected situations where a password can be changed, even though the extension author feels they are blocking it. A hook should be added to Special:ChangePassword for this functionality.
Created attachment 11991 [details] Patch to add AbortChangePassword hook Patch still needs proper testing. Submitting for feedback.
Created attachment 11997 [details] Updated and tested patch One minor fix in patch. Has been tested and is working.
Patch looks fine to me. I don't think the bug this fixes effects security (unless I'm missing something?), so I think we should make it public, put it in gerrit, and make sure other developers are on board with it.
This bug does allow for two-factor authentication (OATHAuth) to be bypassed by doing a password reset, if the attacker also has access to the victim's email. This doesn't affect the cluster, so no need to patch there, but we'll add this to the next security release.
Created attachment 12210 [details] patch for 1.19
Related URL: https://gerrit.wikimedia.org/r/61631 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)
Related URL: https://gerrit.wikimedia.org/r/61641 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)
Related URL: https://gerrit.wikimedia.org/r/61644 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)
Related URL: https://gerrit.wikimedia.org/r/62216 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)