• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.


BulkResetPassword says "The TWikiAdminGroup can use BulkResetPassword to reset any number of passwords." This is literally true (any), but misleading.

The distributed TWiki has

but it's been disallowed on the public site TWiki:TWiki/BulkResetPassword by PeterThoeny. Anyway, ALLOCTOPICVIEW doesn't matter at all. It's the access restriction to the resetpasswd CGI-bin that counts. Its URL scheme is public, see TWikiScripts (and anybody can download the source); I've been able to handcraft a URL to reset some other user's password.

Some configurable way to enforce acces control to both ResetPassword and BulkResetPassword would be a valuable enhancement. Configurable because not every installation may need this restriction.

Both restrictions should be identical. Bulk is by no means more sensitive that the normal reset. Any attacker can send a hundred requests to reset a hundred users.

TWikiAdminGroup looks like the right candidate for the users allowed to reset other users passwords -- again under some configuration. Other configurations are concievable were anybody can do anything.

Maybe a better place for this item would be in TWiki:TWiki/ResetPasswortDiscussion?

Regards, TWiki:Main/JoergHoehle

Did you try to bulk reset passwords without being an admin?

As far as I could see from the code it is hardcoded to only accept bulk resets from an admin.

The reset password feature for admins only (single user reset) would be a bit like going back to Cairo and how it worked there. The feature was added so the admin is not disturbed several times per day with password reset requests.

The consequences of an attacker resetting some passwords is in reality only that the users all get a new random password. It is annoying but does not really give the attacker any visible advantage which is probably why such attacks are not commonly known. They are simply not funny or beneficial to do.

If the admin is away for a few days you end up with users that have to wait to get access again. I think that is a bigger disadvantage.


Summary (bulk)ResetPassword restrictions?
ReportedBy TWiki:Main.JoergHoehle
Codebase 4.0.2, 4.0.4, 4.0.3
SVN Range Wed, 12 Jul 2006 build 11001
AppliesTo Engine

Priority Enhancement
CurrentState New


TargetRelease n/a
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r3 - 2006-07-18 - KennethLavrsen
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback