[Savannah-help-public] [sr #107281] Verification of account email change

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #107281] Verification of account email change

From:	Matt McCutchen
Subject:	[Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2)
Date:	Wed, 24 Feb 2010 23:47:06 +0000
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100220 Fedora/3.6.1-1.custom.fc12 Namoroka/3.6

Follow-up Comment #2, sr #107281 (project administration):

Additional comment (for whenever this issue is addressed):  It gets worse. 
The token is a function of the session cookie and the current time, so the
user can predict it without receiving either email.  The confirmation and
cancellation links should use two different, /random/ tokens.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107281>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2), Matt McCutchen, 2010/02/24
- [Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2), Sylvain Beucler, 2010/02/24
  - [Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2), Matt McCutchen <=

Prev by Date: [Savannah-help-public] [sr #107282] XSS in account email change form
Next by Date: [Savannah-help-public] [sr #107283] Link to cancel an account email change does not work
Previous by thread: [Savannah-help-public] [sr #107281] Verification of account email changes is ineffective (try 2)
Next by thread: [Savannah-help-public] [sr #107282] XSS in account email change form
Index(es):
- Date
- Thread