incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brendan O'Connor <>
Subject [PATCH] Activation Security Hole
Date Fri, 26 Jan 2007 00:48:40 GMT
Hello. My name is Brendan O'Connor; I'm a graduate student in Computer 
Science at The Johns Hopkins University. I am submitting a patch for the 
Heraldry PIP.

The bug/threat model that this patch addresses is as follows:

Alice creates a new account. PIP automatically sends an e-mail to Alice, 
with an account verification link. Oscar somehow gets access to the 
verification link, clicks it, then logs in with Oscar's credentials. Now 
Oscar is logged in, as Alice. The system believes Alice logged in, and 
presents Oscar with Alice's account page, as well as verifying Alice's 
e-mail address.

I have changed the code so as not to allow Oscar to log in during the 
verification process; the following error message will be displayed.
"You are not the account holder to whom the verification e-mail was 
sent.  You cannot login at this time."

I am attaching the patch to account_controller.rb.

Thanks very much for your attention; please feel free to reply to me 
with any questions or concerns.

---Brendan O'Connor

View raw message