Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS /

SS3.1.x - Change Password: Force Admin to Confirm Current Password


Reply


315 Views

Avatar
D-L

Community Member, 13 Posts

23 April 2014 at 11:42pm

Can anyone tell me whether SilverStripe has a configuration option which can be enabled in order to force admin users to have to confirm their current password when they try to change their password?

I've just received results back from a security scan by PwC for a client project and one of the Medium-risk security issues flagged (to be fixed within 60 days) was the following:

Description
Observation:
Admin users are not required to enter their current password when changing their password.

Sample Affected URL:
http://<mysite.com>/admin/myprofile

Impact:
A malicious user through the use of session hijacking, a man in the middle attack, cross-site request forgery attacks or finding an unattended logged in session could change an account password without knowing the current password. Also, when a user cannot change their username or password, they cannot be proactive in guarding against the user credentials being compromised.

Recommendation:
It is a best practice to allow a user to alter his username and password. Further, it should require a user to provide his current password in conjunction with providing the new password to revalidate the identity of the user.

Any help would be greatly appreciated. Thanks.

Attached Files