0004140: Changing password should require the old password. - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0004140	SOGo	Web General	public	2017-04-09 16:42	2020-07-27 14:21

Reporter	skrupellos	Assigned To
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	3.2.8
Fixed in Version	5.0.0

Summary	0004140: Changing password should require the old password.
Description	If a user want's to change their password, they should be asked about their old password (like on most sites in the web or passwd on Linux). This prevents quick changes of the password by someone who has access to an unsecured laptop for a few seconds. The damage can be bigger than just deleting all your E-Mails (I hope the admin makes backups xD), since the password can also be used for other services besides SOGo.
Tags	No tags attached.

pruje 2018-06-13 06:44 reporter ~0012917	I confirm this, I was about to open the same issue. This is a serious security issue. I confirm this issue is still there in SOGo 4.0. Please fix this, guys! Thanks

mrf 2020-07-21 20:16 reporter ~0014562	Is there still no update regarding this major security issue after 3 years now? In combination with other vulnerabilities, such as XSS or CSRF, this could lead to account takeover attacks.

the_nic 2020-07-24 10:42 reporter ~0014573	feel free to test/review: https://github.com/inverse-inc/sogo/pull/285 :-)

sogo: master 2300fe8a 2020-07-27 10:12 nfabre Committer: GitHub Details Diff	fix(core): Require current password on password change (0000285) Increase security by requiring the current password when changing the password. This increases the security for cases such as XSS, or just a forgotten browser window left open. Fixes 0004140	Affected Issues 0004140
	mod - UI/MainUI/SOGoRootPage.m	Diff File
	mod - UI/PreferencesUI/English.lproj/Localizable.strings	Diff File
	mod - UI/PreferencesUI/German.lproj/Localizable.strings	Diff File
	mod - UI/Templates/PreferencesUI/UIxPreferences.wox	Diff File
	mod - UI/WebServerResources/js/Common/Authentication.service.js	Diff File
	mod - UI/WebServerResources/js/Preferences/PreferencesController.js	Diff File

Date Modified	Username	Field	Change
2017-04-09 16:42	skrupellos	New Issue
2018-06-13 06:44	pruje	Note Added: 0012917
2020-07-21 20:16	mrf	Note Added: 0014562
2020-07-24 10:42	the_nic	Note Added: 0014573
2020-07-27 14:12	nfabre	Changeset attached	=> sogo master 2300fe8a
2020-07-27 14:21	francis	Status	new => resolved
2020-07-27 14:21	francis	Resolution	open => fixed
2020-07-27 14:21	francis	Fixed in Version	=> 5.0.0