John Posted October 15, 2016 Report Posted October 15, 2016 The 'Confirm Password Reset' page has two flaws in it. I am not sure if this is fixed in v4.0, if someone could confirm that as well, that would be great. 1. The page title is missing. It only displays the company name, and does not include $lang['ClientLogin.confirmreset.page_title'] in the title of the page. This is the only login type page that has this behavior. I checked 3 different Blesta installs, including the one at account.blesta.com, and they all had this issue. 2. The password reset link does not expire after one use. This could be an issue, because if someone has access to your email even for a minute, they can generate a link that will get them into your Blesta account forever. I did not test either of these issues with the staff interface, only the client interface. Quote
Tyson Posted December 8, 2016 Report Posted December 8, 2016 Thanks for the report. On 10/15/2016 at 4:59 PM, John said: The 'Confirm Password Reset' page has two flaws in it. I am not sure if this is fixed in v4.0, if someone could confirm that as well, that would be great. 1. The page title is missing. It only displays the company name, and does not include $lang['ClientLogin.confirmreset.page_title'] in the title of the page. This is the only login type page that has this behavior. I checked 3 different Blesta installs, including the one at account.blesta.com, and they all had this issue. We'll take a look at the page title. On 10/15/2016 at 4:59 PM, John said: 2. The password reset link does not expire after one use. This could be an issue, because if someone has access to your email even for a minute, they can generate a link that will get them into your Blesta account forever. I did not test either of these issues with the staff interface, only the client interface. The password reset link included in an email is only accessible for a short period of time. By default, it is available for 4 hours and can be changed in the config file for 'Blesta.reset_password_ttl'. John 1 Quote
Blesta Addons Posted December 8, 2016 Report Posted December 8, 2016 5 hours ago, Tyson said: The password reset link included in an email is only accessible for a short period of time. By default, it is available for 4 hours and can be changed in the config file for 'Blesta.reset_password_ttl'. But normally if the link was visited and password was change it should be removed and has no effect , thought no ? Quote
Paul Posted December 8, 2016 Report Posted December 8, 2016 29 minutes ago, Blesta Addons said: But normally if the link was visited and password was change it should be removed and has no effect , thought no ? Probably, but I doubt there is any mechanism in place to invalidate the link currently. Quote
activa Posted December 9, 2016 Report Posted December 9, 2016 It would be nice to see a 1 time link working ... John and Michael 2 Quote
Paul Posted December 9, 2016 Report Posted December 9, 2016 I'd suggest posting this on https://requests.blesta.com to request that the password link expire after it's used. It's not a bug, but it is a good idea. John and evolvewh 2 Quote
Tyson Posted December 9, 2016 Report Posted December 9, 2016 A one-time link assumes the user clicked it and actually changed their password. This would require that we log all user password changes, which is another feature in itself. The current TTL would still have to apply regardless. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.