View Issue Details

IDProjectCategoryView StatusLast Update
0000804Main CAcert Websiteaccount administrationpublic2013-01-15 14:30
ReporterNEOatNHNG Assigned ToSourcerer  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2010 Q3 
Summary0000804: Don't show the requested pass phrase in the mail sent to support
DescriptionEvery time someone tries his lost password questions and fails a mail is sent to support including what the member typed, what is in the system and the new pass phrase the member wanted to set.

We don't care for the intended password and it's a potential security risk if the mail leaks for some reason (some people even use the same password for multiple sites) so I propose to remove that line.
Additional InformationPatch included
TagsNo tags attached.
Attached Files
RequestedPassword.diff (753 bytes)   
--- cacert/www/index.php	2009-12-26 19:46:00.000000000 +0100
+++ cacert/www/index.php	2010-01-16 21:26:00.000000000 +0100
@@ -98,7 +98,6 @@
 			$body = "Someone has just attempted to update the pass phrase on the following account:\n".
 				"Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
 				"email: ".$_SESSION['lostpw']['user']['email']."\n".
-				"Requested Pass Phrase: ".$_SESSION['lostpw']['pw1']."\n".
 				"IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
 				"---------------------------------------------------------------------\n".$body.
 				"---------------------------------------------------------------------\n";
RequestedPassword.diff (753 bytes)   
Reviewed by
Test Instructions

Activities

edgarwahn

2010-08-04 11:09

developer   ~0001613

Ok, thats definitely a good idea, patch looks ok.

I'd even go one step further and drop all information from the form from the email. Just add enouth data to allow an support engineer to log into the system, identify the user and see the credentials over the web.

Sourcerer

2010-08-05 12:46

administrator   ~0001618

I have applied the patch on the production system.

I think it helped to have some details in the email, to get an easier overview on possible attack patterns when browsing through the emails. So if we want to remove the information from the email, we should add a web-page that provides that overview again.

Issue History

Date Modified Username Field Change
2010-01-16 20:32 NEOatNHNG New Issue
2010-01-16 20:32 NEOatNHNG File Added: RequestedPassword.diff
2010-08-04 11:09 edgarwahn Note Added: 0001613
2010-08-04 11:09 edgarwahn Assigned To => Sourcerer
2010-08-04 11:09 edgarwahn Status new => confirmed
2010-08-05 12:46 Sourcerer Note Added: 0001618
2010-08-05 12:46 Sourcerer Status confirmed => solved?
2011-07-01 19:21 NEOatNHNG Status solved? => closed
2011-07-01 19:21 NEOatNHNG Resolution open => fixed
2013-01-15 14:30 Werner Dworak Fixed in Version => 2010 Q3