Actions
Defect #6254
closed
Remove "Unknown user" notification on password request with non-existent email address
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
Files
Related issues
Updated by Go MAEDA about 8 years ago
- Has duplicate Defect #25144: Account Harvesting login issue added
Updated by
Updated by Mischa The Evil over 2 years ago
- Has duplicate Defect #37517: User disclosure vulnerability via "Forgot password" functionality added
Updated by Go MAEDA about 2 years ago
- File 6254-v2.patch 6254-v2.patch added
- Target version changed from Unplanned backlogs to 5.1.0
Updated by Go MAEDA about 2 years ago
- Subject changed from Remove 'invalid user' notification on password request with invalid e-mailadress to Remove "Unknown user" notification on password request with non-existent email address
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Actions