View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
09436Bug reportsSecuritypublic2015-02-11 15:57
Reporteraesteban Assigned Toaesteban  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.05+ 
Target Version2.05+ 
Summary09436: Forgotpassword functionality may disclose information about users
Description

By trial and error, an attacker can get information about users

Steps To Reproduce

1.- Enter forgotpassword page
2.- Set username: trialuser
3.- Set email address: trialemail@trial.com

Result: If this is not the correct email address, a message is shown.

Expected result: Quietly refusing to send email and showing a generic message "If your username exists and the email address you specified is correct you will receive and email..."

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)141229
I will donate to the project if issue is resolvedNo
BrowserFirefox
Database type & versionPostgresql 9.3
Server OS (if known)Ubuntu 14.04
Webserver software & version (if known)Nginx 1.4.6
PHP Version5.5.9

Users monitoring this issue

There are no users monitoring this issue.

Activities

aesteban

aesteban

2015-01-29 14:37

developer   ~31544

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14888

aesteban

aesteban

2015-01-29 14:46

developer   ~31547

Fix committed to 2.06 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14892

c_schmitz

c_schmitz

2015-02-11 15:57

administrator   ~31663

Version 2.05 Build 150211 released

Related Changesets

LimeSurvey: master 73c26f08

2015-01-29 13:36:24

aesteban

Details Diff
Fixed issue 09436: Forgotpassword functionality may disclose information about users Affected Issues
09436
mod - application/config/config-defaults.php Diff File
mod - application/controllers/admin/authentication.php Diff File

LimeSurvey: 2.06 bbb8f304

2015-01-29 13:46:36

aesteban

Details Diff
Fixed issue 09436: Forgotpassword functionality may disclose information about users Affected Issues
09436
mod - application/config/config-defaults.php Diff File
mod - application/controllers/admin/authentication.php Diff File

Issue History

Date Modified Username Field Change
2015-01-05 02:21 aesteban New Issue
2015-01-05 02:21 aesteban Status new => assigned
2015-01-05 02:21 aesteban Assigned To => aesteban
2015-01-29 14:37 aesteban Changeset attached => LimeSurvey master 73c26f08
2015-01-29 14:37 aesteban Note Added: 31544
2015-01-29 14:37 aesteban Resolution open => fixed
2015-01-29 14:46 aesteban Changeset attached => LimeSurvey 2.06 bbb8f304
2015-01-29 14:46 aesteban Note Added: 31547
2015-01-29 14:51 aesteban Status assigned => resolved
2015-02-11 15:57 c_schmitz Note Added: 31663
2015-02-11 15:57 c_schmitz Status resolved => closed