Project

General

Profile

Actions

Defect #6254

closed

Remove "Unknown user" notification on password request with non-existent email address

Added by Aron Rotteveel over 13 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.


Files

6254.patch (1.47 KB) 6254.patch Go MAEDA, 2022-07-21 11:49
6254-v2.patch (42.3 KB) 6254-v2.patch Go MAEDA, 2023-01-26 10:06

Related issues

Has duplicate Redmine - Defect #25144: Account Harvesting login issueClosed

Actions
Has duplicate Redmine - Defect #37517: User disclosure vulnerability via "Forgot password" functionalityClosed

Actions
Actions #1

Updated by Go MAEDA about 7 years ago

  • Has duplicate Defect #25144: Account Harvesting login issue added
Actions #2

Updated by Go MAEDA about 7 years ago

source:tags/3.3.2/config/locales/en.yml#L153:

  notice_account_unknown_email: Unknown user.

Actions #3

Updated by Go MAEDA about 7 years ago

Aron Rotteveel wrote:

It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.

I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").

Actions #4

Updated by j l over 1 year ago

Hello,

I comment on this 12 years old defect because this is the only active one I found regarding this subject.
Is there a version in which this issue has been addressed, or a workaround ?

Thanks.
Regards,
JL

Actions #5

Updated by Go MAEDA over 1 year ago

The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.

Before: "Invalid user"
After: "An email with instructions to choose a new password has been sent to you"

Actions #6

Updated by j l over 1 year ago

This patch should indeed do the trick, thanks !

I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"

Actions #7

Updated by Mischa The Evil over 1 year ago

  • Has duplicate Defect #37517: User disclosure vulnerability via "Forgot password" functionality added
Actions #8

Updated by Mischa The Evil over 1 year ago

  • Target version set to Unplanned backlogs
Actions #9

Updated by Go MAEDA about 1 year ago

Setting the target version to 5.1.0.

Actions #10

Updated by Go MAEDA about 1 year ago

  • Subject changed from Remove 'invalid user' notification on password request with invalid e-mailadress to Remove "Unknown user" notification on password request with non-existent email address
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch.

Actions #11

Updated by Mischa The Evil 5 months ago

  • Start date deleted (2010-08-31)
Actions

Also available in: Atom PDF