[pydotorg-www] [PSRT] Bug in website

M.-A. Lemburg mal at egenix.com
Tue Apr 27 12:21:00 EDT 2021


I don't see where this is vulnerability. Of course, you can delete
the account you just created. It would be bad, if you were able to
delete other accounts in this way, but that's not the case.

On 27.04.2021 18:00, Victor Stinner wrote:
> Hi,
> 
> Can someone please have a look? We receive this email on the Python
> security list.
> 
> Thanks,
> Victor
> 
> On Sat, Mar 20, 2021 at 1:26 PM shubham more
> <shubhammore262001 at gmail.com> wrote:
>>
>> Title:
>> insecure account deletion
>>
>> Description:
>> Hi Team,
>>
>> The removal of account is one of the sensitive
>>
>> part of a web application that needs to
>>
>> protect, therefore removing an account
>>
>> should validate the authenticity of the user,
>>
>> however i have found that when removing an
>>
>> account, the system did not require the user
>>
>> to input the account password.
>>
>> Steps to reproduce:
>> 1)go to
>>
>> websitehttps://www.python.org/accounts/sig
>>
>> nup/ ->sign up
>> 2)login in
>> 3)click on edit profile
>> 4)scroll website last option delete account
>> 5)click on delete account
>> result:account delete succesfully
>>
>> Impact:
>> Intruder can easily delete the account
>>
>> because the system did not protect it by
>>
>> asking the password to validate that the
>>
>> person deleting the account is the real user.
>> _______________________________________________
>> PSRT mailing list -- psrt at python.org
>> To unsubscribe send an email to psrt-leave at python.org
>> https://mail.python.org/mailman3/lists/psrt.python.org/
>> Member address: vstinner at python.org
> 
> 
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Apr 27 2021)
>>> Python Projects, Coaching and Support ...    https://www.egenix.com/
>>> Python Product Development ...        https://consulting.egenix.com/
________________________________________________________________________

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               https://www.egenix.com/company/contact/
                     https://www.malemburg.com/



More information about the pydotorg-www mailing list