CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12282] Forgot password: don't disclose unknown username

avatar
Created By: Ruud van der Velden (ruudvdvelden)
Date Submitted: 2020-03-28 09:30

Assigned To: Fernando Morgado (JoMorg)
Resolution: Accepted
State: Open
Summary:
Forgot password: don't disclose unknown username
Detailed Description:
When using the forgot password feature of the CMSMS admin logon page, it
discloses whether an username has been found or not.

This could be considered a security risk.

My suggestion would be to just respond with something like "If the username has
been found an email was send to the user..."

Futher, the email sent to the user states "If you feel this is incorrect or made
in error, simply ignore the email and nothing will change." Which is fine if we
solve the first part of my request. Else it could be that an attacker has
guessed an admin username and this should not be ignored.

History

Updates

Updated: 2020-03-28 09:33
resolution_id: => 6