View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000804 | Main CAcert Website | account administration | public | 2010-01-16 20:32 | 2013-01-15 14:30 |
| Reporter | NEOatNHNG | Assigned To | Sourcerer | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2010 Q3 | ||||
| Summary | 0000804: Don't show the requested pass phrase in the mail sent to support | ||||
| Description | Every time someone tries his lost password questions and fails a mail is sent to support including what the member typed, what is in the system and the new pass phrase the member wanted to set. We don't care for the intended password and it's a potential security risk if the mail leaks for some reason (some people even use the same password for multiple sites) so I propose to remove that line. | ||||
| Additional Information | Patch included | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
2010-01-16 20:32
|
RequestedPassword.diff (753 bytes)
--- cacert/www/index.php 2009-12-26 19:46:00.000000000 +0100
+++ cacert/www/index.php 2010-01-16 21:26:00.000000000 +0100
@@ -98,7 +98,6 @@
$body = "Someone has just attempted to update the pass phrase on the following account:\n".
"Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
"email: ".$_SESSION['lostpw']['user']['email']."\n".
- "Requested Pass Phrase: ".$_SESSION['lostpw']['pw1']."\n".
"IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
"---------------------------------------------------------------------\n".$body.
"---------------------------------------------------------------------\n";
|
|
|
Ok, thats definitely a good idea, patch looks ok. I'd even go one step further and drop all information from the form from the email. Just add enouth data to allow an support engineer to log into the system, identify the user and see the credentials over the web. |
|
|
I have applied the patch on the production system. I think it helped to have some details in the email, to get an easier overview on possible attack patterns when browsing through the emails. So if we want to remove the information from the email, we should add a web-page that provides that overview again. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2010-01-16 20:32 | NEOatNHNG | New Issue | |
| 2010-01-16 20:32 | NEOatNHNG | File Added: RequestedPassword.diff | |
| 2010-08-04 11:09 | edgarwahn | Note Added: 0001613 | |
| 2010-08-04 11:09 | edgarwahn | Assigned To | => Sourcerer |
| 2010-08-04 11:09 | edgarwahn | Status | new => confirmed |
| 2010-08-05 12:46 | Sourcerer | Note Added: 0001618 | |
| 2010-08-05 12:46 | Sourcerer | Status | confirmed => solved? |
| 2011-07-01 19:21 | NEOatNHNG | Status | solved? => closed |
| 2011-07-01 19:21 | NEOatNHNG | Resolution | open => fixed |
| 2013-01-15 14:30 | Werner Dworak | Fixed in Version | => 2010 Q3 |
