Joomla Lost password not sending mail

[rbuelund]

When using Lost password, no email is sent to the user, but when using lost username an email IS sent.

[richard67]

@rbuelund Which Joomla version? As you might know, there are always 2 versions in use, currently 5.4.0 and 6.0.0.

[rbuelund]

5.4

[richard67]

Are you using the PHP Mailer? Or SMTP?

[rbuelund]

SMTP - and as written - the lost username function DOES send mails, only the lost password function does not.

[rbuelund]

Tested on two different sites.

[chmst]

I cannot replicate the issue. In J5 and J6 all mails are sent.

[brianteeman]

I can't imagine a scenario in joomla where one is sent and the other is not

[chmst]

There coud be an override of the lost password page. But perhaps it is only a typo in the mail-address?

[rbuelund]

No type - tried several times, and with the exact same e-mail for lost username and lost password. Email only comes through for username.

[rbuelund]

Can i in some way gather some more usefull info to this ?

[chmst]

Which template are you using?

[ot2sen]

Could it be a superadmin level user trying to fetch a password, which they cannot?

[brianteeman]

Could it be a superadmin level user trying to fetch a password, which they cannot?

good point I forgot that

[chmst]

The super user gets a message that he cannot require a new password.

[brianteeman]

Are you sure as that would be a security vulnerability confirming that the email address is that of a super user. They just get the default

[rbuelund]

Well thank you all - exactly the problem! But how should super users know that? - I did not, or have forgotten it. Would it be a security risk to send a mail to the super user saying you cannot reset your password ? If the super users mail account has been hacked, well then the hacker would possibly know anyway that this is a super user on that site ?

[chmst]

When I try the reset option, I get this message:

Obviously a wrong message

[brianteeman]

weird - i just tried again in both j5 and j6 and did not get that

[chmst]

With e-mail address of the super user?

[brianteeman]

yes

[chmst]

I have no idea.

https://github.com/joomla/joomla-cms/blob/5.4-dev/components/com_users/src/Model/ResetModel.php#L425 this is the code. With false language Language Keys

[brianteeman]

just rechecked on a clean 6.0 install - no change

[ot2sen]

Just checked on a clean install of J5.4.0 Getting a user name reminder mail, but not a password mail for the super user. Same as Brian for the initial message. Not the strings from the com_users lang file.

[MacJoom]

The mail to the superuser is never sent - that is intentional. The message is depending on the Debug Setting - but the messages should not be different when debug mode is on. We will fix this. As for the supervisor we will send an email that the passwort cannot be reset this way.

[brianteeman]

No you must not send an email. That's a security issue confirming that the email is for a super user.

[richard67]

No you must not send an email. That's a security issue confirming that the email is for a super user.

Maybe @MacJoom mean that all other super users will get that email but not to the one who requests the password reset? Something like "Super user xyz has requested a password reset"?

[MacJoom]

If it's a superuser email we will send the message that it cannot be reset this way to this superuser - without displaying a different message on the screen. I see no disclosure of an information this way. No message is given on screen that an email is really beeing sent - the same with random email addresses

[brianteeman]

I have gained control of the email and now I know that this email is for a superuser

[MacJoom]

OK - then we cannot fix this issue anyway. But if one has control over the emails he/she could probably check older emails and find out anyway...