Jump to:

5539 Posts in 1738 Topics by 1224 members

Customising the CMS

SilverStripe Forums » Customising the CMS » SS3.1.x - Change Password: Force Admin to Confirm Current Password

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 237 Views
  • D-L
    Avatar
    Community Member
    13 Posts

    SS3.1.x - Change Password: Force Admin to Confirm Current Password Link to this post

    Can anyone tell me whether SilverStripe has a configuration option which can be enabled in order to force admin users to have to confirm their current password when they try to change their password?

    I've just received results back from a security scan by PwC for a client project and one of the Medium-risk security issues flagged (to be fixed within 60 days) was the following:

    Description
    Observation:
    Admin users are not required to enter their current password when changing their password.

    Sample Affected URL:
    http://<mysite.com>/admin/myprofile

    Impact:
    A malicious user through the use of session hijacking, a man in the middle attack, cross-site request forgery attacks or finding an unattended logged in session could change an account password without knowing the current password. Also, when a user cannot change their username or password, they cannot be proactive in guarding against the user credentials being compromised.

    Recommendation:
    It is a best practice to allow a user to alter his username and password. Further, it should require a user to provide his current password in conjunction with providing the new password to revalidate the identity of the user.

    Any help would be greatly appreciated. Thanks.

    Attached Files
    237 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.