[pydotorg-www] [PSRT] Bug in website
Victor Stinner
vstinner at python.org
Tue Apr 27 12:00:59 EDT 2021
Hi,
Can someone please have a look? We receive this email on the Python
security list.
Thanks,
Victor
On Sat, Mar 20, 2021 at 1:26 PM shubham more
<shubhammore262001 at gmail.com> wrote:
>
> Title:
> insecure account deletion
>
> Description:
> Hi Team,
>
> The removal of account is one of the sensitive
>
> part of a web application that needs to
>
> protect, therefore removing an account
>
> should validate the authenticity of the user,
>
> however i have found that when removing an
>
> account, the system did not require the user
>
> to input the account password.
>
> Steps to reproduce:
> 1)go to
>
> websitehttps://www.python.org/accounts/sig
>
> nup/ ->sign up
> 2)login in
> 3)click on edit profile
> 4)scroll website last option delete account
> 5)click on delete account
> result:account delete succesfully
>
> Impact:
> Intruder can easily delete the account
>
> because the system did not protect it by
>
> asking the password to validate that the
>
> person deleting the account is the real user.
> _______________________________________________
> PSRT mailing list -- psrt at python.org
> To unsubscribe send an email to psrt-leave at python.org
> https://mail.python.org/mailman3/lists/psrt.python.org/
> Member address: vstinner at python.org
--
Night gathers, and now my watch begins. It shall not end until my death.
More information about the pydotorg-www
mailing list