Can anyone tell me whether SilverStripe has a configuration option which can be enabled in order to force admin users to have to confirm their current password when they try to change their password?
I've just received results back from a security scan by PwC for a client project and one of the Medium-risk security issues flagged (to be fixed within 60 days) was the following:
Description
Observation:
Admin users are not required to enter their current password when changing their password.
Sample Affected URL:
http://<mysite.com>/admin/myprofile
Impact:
A malicious user through the use of session hijacking, a man in the middle attack, cross-site request forgery attacks or finding an unattended logged in session could change an account password without knowing the current password. Also, when a user cannot change their username or password, they cannot be proactive in guarding against the user credentials being compromised.
Recommendation:
It is a best practice to allow a user to alter his username and password. Further, it should require a user to provide his current password in conjunction with providing the new password to revalidate the identity of the user.
Any help would be greatly appreciated. Thanks.