Defect #6254
closedRemove "Unknown user" notification on password request with non-existent email address
0%
Description
Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
Files
Related issues
Updated by Go MAEDA almost 8 years ago
- Has duplicate Defect #25144: Account Harvesting login issue added
Updated by Go MAEDA almost 8 years ago
source:tags/3.3.2/config/locales/en.yml#L153:
notice_account_unknown_email: Unknown user.
Updated by Go MAEDA almost 8 years ago
Aron Rotteveel wrote:
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
I completely agree. Redmine should always display notice_account_lost_email_sent
("An email with instructions to choose a new password has been sent to you.").
Updated by j l over 2 years ago
Hello,
I comment on this 12 years old defect because this is the only active one I found regarding this subject.
Is there a version in which this issue has been addressed, or a workaround ?
Thanks.
Regards,
JL
Updated by Go MAEDA over 2 years ago
- File 6254.patch 6254.patch added
The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.
Before: "Invalid user"
After: "An email with instructions to choose a new password has been sent to you"
Updated by j l over 2 years ago
This patch should indeed do the trick, thanks !
I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"
Updated by Mischa The Evil over 2 years ago
- Has duplicate Defect #37517: User disclosure vulnerability via "Forgot password" functionality added
Updated by Mischa The Evil about 2 years ago
- Target version set to Unplanned backlogs
Updated by Go MAEDA almost 2 years ago
- File 6254-v2.patch 6254-v2.patch added
- Target version changed from Unplanned backlogs to 5.1.0
Setting the target version to 5.1.0.
Updated by Go MAEDA almost 2 years ago
- Subject changed from Remove 'invalid user' notification on password request with invalid e-mailadress to Remove "Unknown user" notification on password request with non-existent email address
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch.