Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#33138] - Password reset discloses Email Address

?
avatar CharlieH96
CharlieH96
15 Apr 2021

Hi

This issue is about the users component disclosing if an Email Address is registered to a user or not.

Thanks

Steps to reproduce the issue

Use the com_users password reset process
Enter a registered Email
You now know this Email is registered as it redirects you, and can check for leaked passwords etc in hopes for gaining access.
Enter an invalid Email
You now know this Email is not valid due to notice message

Expected result

Most modern applications use a system which gives a vague message such as, if the Email exists, then to check their inbox.

Actual result

Email Address is disclosed if it exists.

System information (as much as possible)

Joomla ‎3.9.24

Additional comments

There is no ideal way to modify this without making core changes from what I have seen

avatar CharlieH96 CharlieH96 - open - 15 Apr 2021
avatar joomla-cms-bot joomla-cms-bot - labeled - 15 Apr 2021
avatar richard67
richard67 - comment - 15 Apr 2021

@CharlieH96 Would pull request #30787 solve your issue?

avatar CharlieH96
CharlieH96 - comment - 15 Apr 2021

Hi @richard67

Yes it looks like it would.

Any news on this being merged?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33138.

avatar richard67
richard67 - comment - 15 Apr 2021

The pull request (PR) #30787 needs 2 good tests before it will get status "RTC" (ready to commit), and then later be merged.

For testing, apply the changes in the PR and test as described there in testing instructions part of the PR's description.

After the test, please mark your test result by going to the PR in our issue tracker here https://issues.joomla.org/tracker/joomla-cms/30787 , use the "Test this" button at the top left corner, select the appropriate test result (hopefully success) and then submitt.

Would be great if you could test it.

Another thing we do is that we close an issue as soon as we have a PR which claims to solve it (and later if necessary re-open it if turns out if that was wrong), and so I close this issue here. But thanks for reporting, maybe it puts more focus on that PR, and hopefully you can test it.

avatar richard67 richard67 - close - 15 Apr 2021
avatar richard67
richard67 - comment - 15 Apr 2021

Closing as having a pull request. Please test #30787 . Thanks in advance.

avatar richard67 richard67 - change - 15 Apr 2021
Status New Closed
Closed_Date 0000-00-00 00:00:00 2021-04-15 10:57:05
Closed_By richard67

Add a Comment

Login with GitHub to post a comment