security issue

[Khan]

Having passed to the specified address the user can replace the email address, in 
result of that, it can replace the address with the address of the existing user, such 
in a way having used possibility of change of the password, to change the password and to come on a site under 
account of other use

https://github.com/ryancramerdesign/ProcessWire/pull/192

[Nico Knoll]

You're awesome! I'd never thought about something like this...

[ryan]

Not sure I get it, but I've been working hard all day and my mental energy is low. Nico it sounds like you get it? I went ahead and tried to reproduce the scenario, but can't seem to break anything here. Maybe I'm missing something? The email address is not an identifier for an account. Meaning, one can't login with an email address, nor does PW use the email as any kind of unique identity. If you think there is a security issue that can be reproduced, can you PM me the steps to reproduce? 

[Khan]

yes u're right. but it may happen that i enter a registered user's e-mail instead of wrong mail addresses, and after a period of time, when i forget the password and when i want to reset it a system mail will be sent to that person. thus, email addresses should be unique.

[Wanze]

But when I enter an email address from another person - forget my password - then the email gets sent to that adress.

I still would have to hack the persons email account to reset the password?

[ryan]

There aren't any core security issues that I can find here. But Khan is right that the email address really should be unique, just as a general security principle. Not enforcing unique emails does lead to potential security issues, or at least plenty of ambiguity when writing login/password related stuff. We should spare people from having to think about that in their own API code, and think the solution has to be at the database level with a unique key on the email field. That way if you are writing your own front-end login and/or password reset capability, you don't have to consider the implications of email addresses not being unique.

If you have the core "forgot password" module installed, then realize that your account is only as safe as your email (which I think is safe to assume for any such function). That means that you should only put in email address you have access to, and if you ever lose that email, then make sure you update your account with your new email address. But of course, that would be a problem whether in ProcessWire or anywhere else. But there is a reason why the "forgot password" capability is not installed by default, and that's because such features always reduce security, even if they are written in a secure manner. So as always, leave the forgot-password capability uninstalled unless you absolutely need it (whether in PW or anywhere else). 

But when I enter an email address from another person - forget my password - then the email gets sent to that adress.

I still would have to hack the persons email account?

 

Yes, you'd basically be giving the other person access to your account. Or at least the ability to reset your password. But it doesn't really matter if that person has an account or not, so long as the email has a recipient. But this is the nature of the beast, whether in ProcessWire or elsewhere. I suppose making email addresses unique doesn't really matter all that much in this case. But I still agree on the value of having emails be unique. It just makes for a more bulletproof/less ambiguous user system.

[fmgujju]

http://processwire.com/talk/topic/1716-integrating-a-member-visitor-login-form/?p=29624

I have copied Ryan's custom login code and tested out on my server and it work great! Thank you so much Ryan!

Since I was testing with various users which I just created using Admin panel and provided same email address to different users and I find that I still receive email with temp password but when I supply username with new temp password on the custom login screen I got "Login Failed!" message! I was wondering if its going to work with same email address for different users?

I have raised same question on the above post. I am looking for unique email addresses for each user.