Amit Kumar Mishra Posted October 31, 2018 Report Posted October 31, 2018 hi when we try to reset our password (client side) and enter any password, it says "email sent" rather it should say "invalid email" or "email not found", or any thing meaningful, incase the email is not registered with the blesta install this is just a suggestion not sure, if this has ever been brought to notice or not, not even sure, if any work is being done on this or not in case this is already on the to-do list, this may just be ignored
Paul Posted October 31, 2018 Report Posted October 31, 2018 If it said something else, an attacker could throw a dictionary file of email addresses at your system and find out what users are registered. It's an attack vector. I think there is a setting for this in /config/blesta.php though // Default password reset value. Set to true for improved security, false for more accurate error reporting Configure::set('Blesta.default_password_reset_value', true); But I don't recall 100% if this is the one. You can try changing to false and test. If it doesn't affect that, then just change it back. Amit Kumar Mishra 1
Amit Kumar Mishra Posted October 31, 2018 Author Report Posted October 31, 2018 +1 for security measures how can you #BlestaDevelopers think every thing from the begening great work @Paul & Team activa and Paul 1 1
Paul Posted October 31, 2018 Report Posted October 31, 2018 Thanks! I confirmed this is the setting, and I started a new page in our documentation for this. https://docs.blesta.com/display/user/Config+Files#ConfigFiles-Blesta.default_password_reset_value activa 1
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now