I assume our check for old password in Special:Resetpass is for prevent the case that I change someone's password when I'm using his computer and he didn't log out his account.
However our allowance for setting a new email address without typing password again makes this check useless. Since I can change/set his email address to mine, and request a new password. In this way I can get his account without knowing his old password.
Version: 1.16.x
Severity: enhancement
Just a note for someone who implements this:
Some authentication extensions use special ways to check users' credentials, assign users invalid password hashes in MediaWiki database and call $user->setCookies() to log users in. In MediaWiki core, extensions should be asked whether they have their own methods to authenticate users.
+1 for this being a good idea.
As it stands, I believe the worst case for an XSS vulnrability is to change the email and steal the account. Requiring a password would help mitigate this.
(Of course once you have an xss attack, the user is still pretty screwed regardless because you can still use js to vandalize in the users name, or present the user with a very convincing you need to re-login screen to steal their password, etc).
This is duped the wrong way. Fixing.