Fixed issue #9436: Forgotpassword functionality may disclose informat…

…ion about users
LimeSurvey · Jan 29, 2015 · 73c26f0 · 73c26f0
1 parent 12948f8
commit 73c26f0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php
@@ -315,6 +315,13 @@
 */
 $config['showrelevance'] =  false;
 
+/**
+* To prevent brute force against forgotten password functionality, there is a random delay
+* that prevent attacker from knowing whether username and email address are valid or not.
+*/
+$config['minforgottenpasswordemaildelay'] =  500000;
+$config['maxforgottenpasswordemaildelay'] =  1500000;
+
 /**
 *  PDF Export Settings
 *  This feature configures PDF export for Export Answers

diff --git a/application/controllers/admin/authentication.php b/application/controllers/admin/authentication.php
@@ -145,18 +145,19 @@ public function forgotpassword()
 
             $aFields = User::model()->findAllByAttributes(array('users_name' => $sUserName, 'email' => $sEmailAddr));
 
+            // Preventing attacker from easily knowing whether the user and email address are valid or not (and slowing down brute force attacks)
+            usleep(rand(Yii::app()->getConfig("minforgottenpasswordemaildelay"),Yii::app()->getConfig("maxforgottenpasswordemaildelay")));
+
             if (count($aFields) < 1)
             {
                 // wrong or unknown username and/or email
-                $aData['errormsg'] = $this->getController()->lang->gT('User name and/or email not found!');
-                $aData['maxattempts'] = '';
-                $this->_renderWrappedTemplate('authentication', 'error', $aData);
+                $aData['message'] = '<br>'.gT('If username and email that you specified are valid, a new password has been sent to you').'<br>';
             }
             else
             {
-                $aData['message'] = $this->_sendPasswordEmail($sEmailAddr, $aFields);
-                $this->_renderWrappedTemplate('authentication', 'message', $aData);
+                $aData['message'] = '<br>'.$this->_sendPasswordEmail($sEmailAddr, $aFields).'</br>';
             }
+            $this->_renderWrappedTemplate('authentication', 'message', $aData);
         }
     }
 
@@ -189,12 +190,11 @@ private function _sendPasswordEmail($sEmailAddr, $aFields)
         if (SendEmailMessage($body, $sSubject, $sTo, $sFrom, $sSiteName, false, $sSiteAdminBounce))
         {
             User::model()->updatePassword($aFields[0]['uid'], $sNewPass);
-            $sMessage = $username . '<br />' . $email . '<br /><br />' . $clang->gT('An email with your login data was sent to you.');
+            $sMessage = gT('If username and email that you specified are valid, a new password has been sent to you');
         }
         else
         {
-            $sTmp = str_replace("{NAME}", '<strong>' . $aFields[0]['users_name'] . '</strong>', $clang->gT("Email to {NAME} ({EMAIL}) failed."));
-            $sMessage = str_replace("{EMAIL}", $sEmailAddr, $sTmp) . '<br />';
+            $sMessage = gT("Email failed.");
         }
 
         return $sMessage;