says "The TWikiAdminGroup
can use BulkResetPassword
to reset any number of passwords." This is literally true (any
), but misleading.
The distributed TWiki has
but it's been disallowed on the public site TWiki:TWiki/BulkResetPassword
. Anyway, ALLOCTOPICVIEW doesn't matter at all. It's the access restriction to the
CGI-bin that counts. Its URL scheme is public, see TWikiScripts
(and anybody can download the source); I've been able to handcraft a URL to reset some other user's password.
Some configurable way to enforce acces control to both ResetPassword
would be a valuable enhancement. Configurable because not every installation may need this restriction.
Both restrictions should be identical. Bulk is by no means more sensitive that the normal reset. Any attacker can send a hundred requests to reset a hundred users.
looks like the right candidate for the users allowed to reset other users passwords -- again under some configuration. Other configurations are concievable were anybody can do anything.
Maybe a better place for this item would be in TWiki:TWiki/ResetPasswortDiscussion
Did you try to bulk reset passwords without being an admin?
As far as I could see from the code it is hardcoded to only accept bulk resets from an admin.
The reset password feature for admins only (single user reset) would be a bit like going back to Cairo and how it worked there. The feature was added so the admin is not disturbed several times per day with password reset requests.
The consequences of an attacker resetting some passwords is in reality only that the users all get a new random password. It is annoying but does not really give the attacker any visible advantage which is probably why such attacks are not commonly known. They are simply not funny or beneficial to do.
If the admin is away for a few days you end up with users that have to wait to get access again. I think that is a bigger disadvantage.