Bug 197

Summary: Any account can be easily sabotaged
Product: Lab Report Repository (nor houzi) Reporter: IBRAHIM MOHAMED IBRAHIM ISMAIL <1525200991>
Component: Password resettingAssignee: Mohamed Nor Abdullahi <mohamednor>
Status: CONFIRMED ---    
Severity: critical    
Priority: ---    
Version: unspecified   
Hardware: PC   
OS: Windows   

Description IBRAHIM MOHAMED IBRAHIM ISMAIL 2020-12-18 18:02:31 CST 
Overview:

This might be the most critical bug ever produced in LRR.

If this bug to happen actually in a commercial software, it would cause the business millions if not billions of dollars.
And that system would get shutdown immediately.

I'm not sure whether I can call this a bug or a security flaw/breach.

The problem as the title suggests, anyone in anytime can sabotage any account in LRR as long as they can provide the target's email and student ID.

Steps to reproduce:

1) Click on "Reset my password" under "Login" button in LRR's homepage.
2) Enter the targeted student's email and ID.
3) Click "Recover".
4) You will see a password reset successfully message, and it will ask you to go Sign up again.
5) On the homepage, enter the target student ID in the signup form, and click "Next".
6) Enter the target new information which includes his new password.
7) Congrats you just have hacked someone.

Expected result:

The target should receive an email message with a link to reset his password by himself.

Actual result:

The target's account has been sabotaged.

Additional information:

I couldn't find the right term for this bug on the severity list, so I would like to propose a new exclusive term: "Disaster"