Jump to content

password reset error


Amit Kumar Mishra

Recommended Posts

hi

when we try to reset our password (client side)

and enter any password, it says "email sent"

rather it should say "invalid email" or "email not found", or any thing meaningful, incase the email is not registered with the blesta install

this is just a suggestion

not sure, if this has ever been brought to notice or not, not even sure, if any work is being done on this or not

in case this is already on the to-do list, this may just be ignored

Link to comment
Share on other sites

If it said something else, an attacker could throw a dictionary file of email addresses at your system and find out what users are registered. It's an attack vector.

I think there is a setting for this in /config/blesta.php though

// Default password reset value. Set to true for improved security, false for more accurate error reporting
Configure::set('Blesta.default_password_reset_value', true);

But I don't recall 100% if this is the one. You can try changing to false and test. If it doesn't affect that, then just change it back.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...