To hedge against a scenario where an attacker has local or even
physical access to a computer where a user is logged in.
While that general scenario cannot neither get detected nor really
secured against, at least not without requiring re-authentication on
every API call that can have side-effect (i.e., all but GET method),
it still makes sense to ensure that credentials cannot be modified,
which would allow denial of service.
See the related pve-access-control commit
5bcf553 ("user: password
change: require confirmation-password parameter")
Reported-by: Wouter Arts <security@wth-security.nl>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
handler: function() {
var win = Ext.create('Proxmox.window.PasswordEdit', {
userid: Proxmox.UserName,
+ confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
});
win.show();
},
handler: function(btn, event, rec) {
Ext.create('Proxmox.window.PasswordEdit', {
userid: rec.data.userid,
+ confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
autoShow: true,
listeners: {
destroy: () => reload(),