mautic
Fix password reset enumeration users
| Q | A |
|---|---|
| Bug fix? (use the a.b branch) | [ v] |
| New feature/enhancement? (use the a.x branch) | [x ] |
| Deprecations? | [x ] |
| BC breaks? (use the c.x branch) | [x ] |
| Automated tests included? | [ x] |
| Related user documentation PR URL | mautic/mautic-documentation#... |
| Related developer documentation PR URL | mautic/developer-documentation#... |
| Issue(s) addressed | Fixes #... |
Description:
Risk level: MEDIUM Impact: Enumerate users Vulnerability use conditions: Access to login page
There are different repsonses when we are trying to reset password in using an existing user, and when the account doesn’t exist.
Existing user:
Steps to test this PR:
- Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs here)
Codecov Report
Merging #11417 (d4a723e) into 5.x (912694b) will increase coverage by
0.02%. The diff coverage is44.44%.
@@ Coverage Diff @@
## 5.x #11417 +/- ##
============================================
+ Coverage 55.76% 55.79% +0.02%
Complexity 35896 35896
============================================
Files 2256 2256
Lines 107582 107582
============================================
+ Hits 59995 60020 +25
+ Misses 47587 47562 -25
| Impacted Files | Coverage Δ | |
|---|---|---|
| ...bundles/UserBundle/Controller/PublicController.php | 30.00% <37.50%> (+12.00%) |
:arrow_up: |
| app/bundles/UserBundle/Entity/UserRepository.php | 55.41% <100.00%> (+3.82%) |
:arrow_up: |
... and 2 files with indirect coverage changes
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@escopecz
If the user does not exist then you get redirect without a message. So the responses are still different whether the user exists or not.
The point is that the answers vary depending on whether the user exists or not. This way the attacker can check which email addresses are in the system
@escopecz
If the user does not exist then you get redirect without a message. So the responses are still different whether the user exists or not.The point is that the answers vary depending on whether the user exists or not. This way the attacker can check which email addresses are in the system
That's the point I'm making. This PR does not solve this problem.
@escopecz
Can you justify why in your opinion it does not solve this problem? We have a unified response, regardless of whether the user exists or not, we receive the same message. Additionally, no redirection to the login page if the user existed in the database. If the PR does not solve the problem, ask for suggestions on how to solve the problem.
We have build CI error: There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue
That's a network issue. I'm re-running the failed job. Should be green in 10 minutes
@tomekkowalczyk It needs 2 things:
- Resolve the conflict
- One more approval from any tester.