Defect #37517
User disclosure vulnerability via "Forgot password" functionality
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Security | |||
| Target version: | - | |||
| Resolution: | Duplicate | Affected version: |
Description
The redmine application reveals the existing users in the system database and their current status by using the "forgot password" functionality, as different messages will appear when entering your email to recover your password if the user in the email is pending approval, does not correspond to any user or is assigned to an active user.
This could therefore help attackers to perform more sophisticated and targeted brute force attacks.
Solution: Display the same message when executing this functionality, without differentiating whether the user exists, is pending approval or is incorrect.
Related issues
History
#1
Updated by Mischa The Evil 6 days ago
- Duplicates Defect #6254: Remove 'invalid user' notification on password request with invalid e-mailadress added
#2
Updated by Mischa The Evil 6 days ago
- Status changed from New to Closed
- Resolution set to Duplicate
Thanks for filing this issue. Though, a similar request is already being tracked as issue #6254. As such I am closing this issue as a duplicate of it.