[#46907] - [6.0] Captcha can be bypassed when resetting password
- New
- Medium
- Build: 5.4-dev
- # 46907
Steps to reproduce the issue
- Install a fresh version of Joomla
- Install a captcha of your choice, make it the default captcha for the entire site
- Open the frontend of the site, and navigate to "Forgot your password?"
- Enter an email address, but do not interact with the captcha
Expected result
The captcha fails, and either the page is reloaded with a message indicating that the captcha must be completed or navigation to the next step is prevented and a message indicates the captcha must be completed.
Actual result
Users are directed to the next step of the password reset form, but their is still a message indicating that the captcha must be completed.
Additional comments
I can confirm that the reset password email is only sent if the user completes the captcha, but it is a bit disorienting to let the user navigate to the next step that they won't be able to complete.
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
Well, you cannot bypass captcha. You just cannot see the captcha error.
This is intentional behavior of the resetting page, but confusing in same time.
The page hides all errors on purpose.
And in current state there no way to distinguish Captcha error out of it.
I guess saying "bypass the captcha" is a bit of a misnomer, but the behaviour is certainly confusing.
Looking through Joomla\Component\Users\Site\Model\ResetModel, I don't see where it checks the captcha to block the email, so I'm not even sure a hook could be added that just redirects the user to the initial page instead of going to the confirm page.
I've tested this in 5.4, and the same functionality is there as well.