09436: Forgotpassword functionality may disclose information about users

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

09436	Bug reports	Security	public	2015-01-05 02:21	2015-02-11 15:57

Reporter	aesteban	Assigned To	aesteban
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.05+
Target Version	2.05+

Summary	09436: Forgotpassword functionality may disclose information about users
Description	By trial and error, an attacker can get information about users
Steps To Reproduce	1.- Enter forgotpassword page 2.- Set username: trialuser 3.- Set email address: trialemail@trial.com Result: If this is not the correct email address, a message is shown. Expected result: Quietly refusing to send email and showing a generic message "If your username exists and the email address you specified is correct you will receive and email..."
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	141229
I will donate to the project if issue is resolved	No
Browser	Firefox
Database type & version	Postgresql 9.3
Server OS (if known)	Ubuntu 14.04
Webserver software & version (if known)	Nginx 1.4.6
PHP Version	5.5.9

User List	There are no users monitoring this issue.

aesteban 2015-01-29 14:37 developer ~31544	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14888

aesteban 2015-01-29 14:46 developer ~31547	Fix committed to 2.06 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14892

c_schmitz 2015-02-11 15:57 administrator ~31663	Version 2.05 Build 150211 released

LimeSurvey: master 73c26f08 2015-01-29 14:36 aesteban Details Diff	Fixed issue 09436: Forgotpassword functionality may disclose information about users	Affected Issues 09436
	mod - application/config/config-defaults.php	Diff File
	mod - application/controllers/admin/authentication.php	Diff File
LimeSurvey: 2.06 bbb8f304 2015-01-29 14:46 aesteban Details Diff	Fixed issue 09436: Forgotpassword functionality may disclose information about users	Affected Issues 09436
	mod - application/config/config-defaults.php	Diff File
	mod - application/controllers/admin/authentication.php	Diff File

Date Modified	Username	Field	Change
2015-01-05 02:21	aesteban	New Issue
2015-01-05 02:21	aesteban	Status	new => assigned
2015-01-05 02:21	aesteban	Assigned To	=> aesteban
2015-01-29 14:37	aesteban	Changeset attached	=> LimeSurvey master 73c26f08
2015-01-29 14:37	aesteban	Note Added: 31544
2015-01-29 14:37	aesteban	Resolution	open => fixed
2015-01-29 14:46	aesteban	Changeset attached	=> LimeSurvey 2.06 bbb8f304
2015-01-29 14:46	aesteban	Note Added: 31547
2015-01-29 14:51	aesteban	Status	assigned => resolved
2015-02-11 15:57	c_schmitz	Note Added: 31663
2015-02-11 15:57	c_schmitz	Status	resolved => closed