Password change in "your account" page

[CrazyHackGUT]

What are the steps to reproduce this issue?

1. Translate webpanel to any language, except JS scripts.
2. Try change password from account page, in Current password try input 1234567890.

What happens?

Password changes, because "current password" validation is placed on client code. And code just checks text in element.

sourcebans-pp/web/themes/default/page_youraccount.tpl

Lines 196 to 207 in ec1b03d

	function dispatch()
	{
	if($('current.msg').innerHTML == "Incorrect password.")
	{
	alert("Incorrect Password");
	return false;
	}
	if(checkYourAcctPass() && error == 0)
	{
	xajax_ChangePassword(-{$user_aid}-, $('pass2').value);
	}
	}

What were you expecting to happen?

Password don't should be changed.

Any other comments?

Code for "Password verification" should be placed on server, in ChangePassword() function.