search

oftc / oftc-ircservices

OFTC's IRC Services
https://www.oftc.net/CodingProjects/
GNU General Public License v2.0
32 stars 22 forks source link

Sendpass tokens are not deleted after use #1

Closed cryogen closed 5 years ago

cryogen commented 11 years ago

They probably should be, or else the password can be reset multiple times and if someone pastes their token after use the account can be taken over

gustavonmartins commented 7 years ago

It actually happened to me! See https://github.com/oftc/oftc-ircservices/issues/23

Svetlana-T commented 7 years ago

If I am not mistaken, changing the master nick eliminates the risk - it makes it impossible to use the key for the account, it is no longer valid. This is perhaps a workaround.

df7cb commented 7 years ago

<@Myon> shouldn't even be hard, add a DB call at modules/nickserv.c line 1815

dwfreed commented 7 years ago

From #31:

In order to fix the underlying issue, the sendpass token either would need to be something random, stored in and retrieved from the database, or derived from the password hash, so that it's automatically invalidated when the user's password changes.