[standards-jig] JEP-0077 Password Changing Security Flaw

Thomas Muldowney temas at box5.net
Sun Jan 25 19:57:34 UTC 2004


The actual call for the local password is a client check, not required 
by the API.  I think the API is comparable to the protocol, and does 
not need it.

--temas


On Jan 23, 2004, at 3:22 PM, JD Conley wrote:

> Windows, Unix, and Mac operating systems as well as numerous network 
> applications require users to enter their old password before changing 
> it.  They have authentication mechanisms too, and generally when you 
> change your password you are already authenticated.
>
> All I'm trying to say is, why is our network application special?  Why 
> do we not require the old password?  There must be some reason 
> everythingthing else requires it.
>
> JD
>
>> -----Original Message-----
>> From: Justin Karneges
>> [mailto:justin-keyword-jabber.093179 at affinix.com]
>> Sent: Friday, January 23, 2004 12:56 PM
>> To: standards-jig at jabber.org
>> Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw
>>
>> Clients that provide an XML window could still be compromised
>> by manually
>> entering the password-changing XML.
>>
>> There are also other interesting things you can do with such
>> XML windows, like
>> enabling 'Plaintext login' and then authenticating while the
>> XML window is
>> open.  Of course, the user would need his password saved to
>> disk for this to
>> work, which is generally easy for an attacker to retrieve anyway..
>>
>> I hate to repeat the same old "don't let an untrusted person use your
>> computer" mantra, as it is not very productive, but I'm not
>> sure of any other
>> good solution.  I suppose the client could be more
>> locked-down so that there
>> is no XML window, but at that point you may as well just lock
>> your desktop.
>>
>> -Justin
>>
>> On Friday 23 January 2004 12:21 pm, JD Conley wrote:
>>> Interesting thought. . .
>>>
>>> So perhaps we need a directive that clients SHOULD (or MUST
>> maybe?) request
>>> both the old and new password, attempt to auth on another
>> stream with the
>>> old password and then, if successful, set the new password.
>>  This would
>>> make me happy if changing the protocol is out of the question.
>>>
>>> JD
>>>
>>>> -----Original Message-----
>>>> From: Tomasz Sterna [mailto:tomek at smoczy.net]
>>>> Sent: Friday, January 23, 2004 12:08 PM
>>>> To: standards-jig at jabber.org
>>>> Subject: RE: [standards-jig] JEP-0077 Password Changing
>> Security Flaw
>>>>
>>>> W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze:
>>>>> I'm not talking about
>>>>> security in that context.  I'm talking about a flaw in
>> the protocol.
>>>>
>>>> What You are describing is a flaw in a client, not in the
>> protocol.
>>>>
>>>> There is no way of changing the password without knowing
>> the current
>>>> one. You need to auth first to make a change.
>>>>
>>>> I see no reason for requiring it twice.
>>>> You already proven that you are a legitimate user.
>>>>
>>>> Every "other implementation" you described is a client-side
>>>> implementation. It is a /bin/passwd program or windows
>>>> "change password
>>>> prompt window" that is protecting you from malicious coworkers.
>>>> Same should jabber client do.
>>>>
>>>> _______________________________________________
>>>> Standards-JIG mailing list
>>>> Standards-JIG at jabber.org
>>>> http://mailman.jabber.org/listinfo/standards-jig
>>>
>>> _______________________________________________
>>> Standards-JIG mailing list
>>> Standards-JIG at jabber.org
>>> http://mailman.jabber.org/listinfo/standards-jig
>> _______________________________________________
>> Standards-JIG mailing list
>> Standards-JIG at jabber.org
>> http://mailman.jabber.org/listinfo/standards-jig
>>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig




More information about the Standards mailing list