No error on Password recovery with unkown user

ploef

Joined: 2011-05-11
Posts: 11

Posted: Tue, 2013-02-05 21:30

Greetings,

I just noticed that when users use the password recovery option, and enter an incorrect username, no error is displayed.
It just displays that a password reset mail has been sent.
But as the user entered an incorrect username, no recovery mail has been send, but the user is not aware of this.

When checking in the log on the dashboard, we see clearly that a password reset has been asked by an unknown user.

Is the absence of an error message when requesting a PW reset with an unknown username intended or can this be added?

With kind regards,

floridave

Joined: 2003-12-22
Posts: 27300

Posted: Tue, 2013-02-05 22:56

It is a security measure to not divulge if that user does in fact exist. The code to change the behavior is:

    } else if (!$user) {
      // Don't include the username here until you're sure that it's XSS safe
      log::warning(
                   "user", t("Password reset email requested for user %user_name, which does not exist.",
                             array("user_name" => $user_name)));
    } else  {
      log::warning(
          "user", t("Password reset failed for %user_name (has no email address on record).",
                    array("user_name" => $user->name)));
    }

    // Always pretend that an email has been sent to avoid leaking
    // information on what user names are actually real.
    message::success(t("Password reset email sent"));
    json::reply(array("result" => "success"));
  }

in user/controllers/password.php

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

ploef Joined: 2011-05-11 Posts: 11	Posted: Tue, 2013-02-05 21:30
	Greetings, I just noticed that when users use the password recovery option, and enter an incorrect username, no error is displayed. It just displays that a password reset mail has been sent. But as the user entered an incorrect username, no recovery mail has been send, but the user is not aware of this. When checking in the log on the dashboard, we see clearly that a password reset has been asked by an unknown user. Is the absence of an error message when requesting a PW reset with an unknown username intended or can this be added? With kind regards,
	XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 27300	Posted: Tue, 2013-02-05 22:56
	It is a security measure to not divulge if that user does in fact exist. The code to change the behavior is: } else if (!$user) { // Don't include the username here until you're sure that it's XSS safe log::warning( "user", t("Password reset email requested for user %user_name, which does not exist.", array("user_name" => $user_name))); } else { log::warning( "user", t("Password reset failed for %user_name (has no email address on record).", array("user_name" => $user->name))); } // Always pretend that an email has been sent to avoid leaking // information on what user names are actually real. message::success(t("Password reset email sent")); json::reply(array("result" => "success")); } in user/controllers/password.php Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

No error on Password recovery with unkown user

XUser login