Amit Kumar Mishra Posted October 31, 2018 Report Posted October 31, 2018 hi when we try to reset our password (client side) and enter any password, it says "email sent" rather it should say "invalid email" or "email not found", or any thing meaningful, incase the email is not registered with the blesta install this is just a suggestion not sure, if this has ever been brought to notice or not, not even sure, if any work is being done on this or not in case this is already on the to-do list, this may just be ignored Quote
Paul Posted October 31, 2018 Report Posted October 31, 2018 If it said something else, an attacker could throw a dictionary file of email addresses at your system and find out what users are registered. It's an attack vector. I think there is a setting for this in /config/blesta.php though // Default password reset value. Set to true for improved security, false for more accurate error reporting Configure::set('Blesta.default_password_reset_value', true); But I don't recall 100% if this is the one. You can try changing to false and test. If it doesn't affect that, then just change it back. Amit Kumar Mishra 1 Quote
Amit Kumar Mishra Posted October 31, 2018 Author Report Posted October 31, 2018 +1 for security measures how can you #BlestaDevelopers think every thing from the begening great work @Paul & Team Paul and activa 1 1 Quote
Paul Posted October 31, 2018 Report Posted October 31, 2018 Thanks! I confirmed this is the setting, and I started a new page in our documentation for this. https://docs.blesta.com/display/user/Config+Files#ConfigFiles-Blesta.default_password_reset_value activa 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.