Project

General

Profile

Actions
Copy link

Defect #6254

closed

Remove "Unknown user" notification on password request with non-existent email address

Added by Aron Rotteveel over 12 years ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
Accounts / authentication
Target version:
5.1.0
Start date:
2010-08-31
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

Files

Download all files
6254.patch (1.47 KB) 6254.patch Go MAEDA, 2022-07-21 11:49
6254-v2.patch (42.3 KB) 6254-v2.patch Go MAEDA, 2023-01-26 10:06

Related issues

Has duplicate Redmine - Defect #25144: Account Harvesting login issueClosed

Actions
Has duplicate Redmine - Defect #37517: User disclosure vulnerability via "Forgot password" functionalityClosed

Actions
Actions
Copy link
 #1

Updated by Go MAEDA about 6 years ago

  • Has duplicate Defect #25144: Account Harvesting login issue added
Actions
Copy link
 #2

Updated by Go MAEDA about 6 years ago

source:tags/3.3.2/config/locales/en.yml#L153:

  notice_account_unknown_email: Unknown user.

Actions
Copy link
 #3

Updated by Go MAEDA about 6 years ago

Aron Rotteveel wrote:

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").

Actions
Copy link
 #4

Updated by j l 8 months ago

Hello,

I comment on this 12 years old defect because this is the only active one I found regarding this subject.
Is there a version in which this issue has been addressed, or a workaround ?

Thanks.
Regards,
JL

Actions
Copy link
 #5

Updated by Go MAEDA 8 months ago

The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.

Before: "Invalid user"
After: "An email with instructions to choose a new password has been sent to you"

Actions
Copy link
 #6

Updated by j l 8 months ago

This patch should indeed do the trick, thanks !

I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"

Actions
Copy link
 #7

Updated by Mischa The Evil 8 months ago

  • Has duplicate Defect #37517: User disclosure vulnerability via "Forgot password" functionality added
Actions
Copy link
 #8

Updated by Mischa The Evil 7 months ago

  • Target version set to Unplanned backlogs
Actions
Copy link
 #9

Updated by Go MAEDA 2 months ago

Setting the target version to 5.1.0.

Actions
Copy link
 #10

Updated by Go MAEDA about 2 months ago

  • Subject changed from Remove 'invalid user' notification on password request with invalid e-mailadress to Remove "Unknown user" notification on password request with non-existent email address
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch.

Actions
Copy link

Also available in: Atom PDF