evolvewh Posted February 5, 2018 Report Share Posted February 5, 2018 Right now, if someone leaves the username field blank or enters an email address that does not exist, Blesta still says 'A confirmation email has been sent to the address on record.' when in fact, nothing is ever going to be sent to them. I'd like to request that Blesta validates what is entered and if it's blank, display a message saying 'Please enter a valid username' or if the email address does not exist in the system, say 'There is no match in our system for the email address you entered' or something along these lines. Quote Link to comment Share on other sites More sharing options...
MineHarvest66 Posted February 5, 2018 Report Share Posted February 5, 2018 20 minutes ago, evolvewh said: Right now, if someone leaves the username field blank or enters an email address that does not exist, Blesta still says 'A confirmation email has been sent to the address on record.' when in fact, nothing is ever going to be sent to them. I'd like to request that Blesta validates what is entered and if it's blank, display a message saying 'Please enter a valid username' or if the email address does not exist in the system, say 'There is no match in our system for the email address you entered' or something along these lines. While Blesta need to up their improvements this is actually not one of them. The reason why this is the case is because it's to "spoil" exploiters from breaching clients' accounts. If they "think" that their entry "worked" then they will be less likely to keep on trying. It's kinda like cities having empty police cars, plain and simple but tends to work. Quote Link to comment Share on other sites More sharing options...
evolvewh Posted February 5, 2018 Author Report Share Posted February 5, 2018 15 minutes ago, MineHarvest66 said: While Blesta need to up their improvements this is actually not one of them. The reason why this is the case is because it's to "spoil" exploiters from breaching clients' accounts. If they "think" that their entry "worked" then they will be less likely to keep on trying. It's kinda like cities having empty police cars, plain and simple but tends to work. I can understand that which means they should implement an IP block. We get way too many support tickets about this and live chats with frustrated customers. There has to be somewhere to 'meet in the middle' and figure out a bettwork workable solution. Quote Link to comment Share on other sites More sharing options...
MineHarvest66 Posted February 5, 2018 Report Share Posted February 5, 2018 3 minutes ago, evolvewh said: I can understand that which means they should implement an IP block. We get way too many support tickets about this and live chats with frustrated customers. There has to be somewhere to 'meet in the middle' and figure out a bettwork workable solution. Definitely I can understand there may be a better solution to this. However I am confused on how customers are unable to reset their passwords on a regular basis. Sure I can get that on occasions that one may forget but if they are "forgetting" their emails on a regular basis there may be deeper "problem". For example if they use a non primary email (which may indicate that they are "hiding" or going to commit "questionable activities". ). Quote Link to comment Share on other sites More sharing options...
Michael Posted February 5, 2018 Report Share Posted February 5, 2018 You can disable it telling it's correct but it does that to stop brute forcing. eg: I hacked your email account, and I know you have an account so I keep trying everything until it goes to your email address. Disable it: /config/blesta.php find: // Default password reset value. Set to true for improved security, false for more accurate error reporting Configure::set('Blesta.default_password_reset_value', true); change it to false. MineHarvest66, Blesta Addons, Jono and 1 other 4 Quote Link to comment Share on other sites More sharing options...
evolvewh Posted February 5, 2018 Author Report Share Posted February 5, 2018 1 hour ago, BlestaStore said: You can disable it telling it's correct but it does that to stop brute forcing. eg: I hacked your email account, and I know you have an account so I keep trying everything until it goes to your email address. Disable it: /config/blesta.php find: // Default password reset value. Set to true for improved security, false for more accurate error reporting Configure::set('Blesta.default_password_reset_value', true); change it to false. Thanks Michael. We may just edit the error message instead of compromising sercurity this way. Michael 1 Quote Link to comment Share on other sites More sharing options...
Tyson Posted February 5, 2018 Report Share Posted February 5, 2018 Just to reiterate, the form returns a success message even if the username does not match a user account in order to hide information. Knowing what valid usernames exist can open up attack vectors. As @BlestaStore mentioned, you can update the Blesta.default_password_reset_value config value to false to instead show an error message if the username does not match an account. Michael 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.