Vulnerability in EPiServer.Forms
We had a security audit and they pointed out that changing an users password doesn't require the current password.
Is there a configuration or such that would enable requiring of the current password when an user is changing a password?
For editors and admins...no. You can set the new password without the old.
For your other users, that is solution specific and needs to be built by a developer. Normally you have a link to a "change password" function on your profile page. Add an extra field to gui and easiest is to use the membership provider method change password in the backend...
var ICanHazSuccess = System.Web.Security.Membership.Provider.ChangePassword("Daniel", "oldpass", "newpass");
We recently found the same issue in a security audit. It has been reported to the support. I'll keep you posted about the outcome of it.
Thanks for the replies and Mattias for making a ticket for it.
In our case this is would be needed for editors and admins, figured that it would just be some sort of a setting in web.config to enable.
Hello again! Have you received any news regarding the ticket?
Sorry I haven't reported back here. Epi has accepted it as a bug and it's in their todo, no estimate on when it will be implemented though.