Hi, Can someone please have a look? We receive this email on the Python security list.
Thanks, Victor On Sat, Mar 20, 2021 at 1:26 PM shubham more <shubhammore262...@gmail.com> wrote: > > Title: > insecure account deletion > > Description: > Hi Team, > > The removal of account is one of the sensitive > > part of a web application that needs to > > protect, therefore removing an account > > should validate the authenticity of the user, > > however i have found that when removing an > > account, the system did not require the user > > to input the account password. > > Steps to reproduce: > 1)go to > > websitehttps://www.python.org/accounts/sig > > nup/ ->sign up > 2)login in > 3)click on edit profile > 4)scroll website last option delete account > 5)click on delete account > result:account delete succesfully > > Impact: > Intruder can easily delete the account > > because the system did not protect it by > > asking the password to validate that the > > person deleting the account is the real user. > _______________________________________________ > PSRT mailing list -- p...@python.org > To unsubscribe send an email to psrt-le...@python.org > https://mail.python.org/mailman3/lists/psrt.python.org/ > Member address: vstin...@python.org -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www