New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password Reset: Reset link should be send only if the provide email exists in LDAP #975

Closed
syntrydy opened this Issue Apr 27, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@syntrydy
Contributor

syntrydy commented Apr 27, 2018

Description

During PASSWORD reset, the reset link is send to the provided email address. Actually there is not validation to check if the email exist in Gluu's LDAP.

Password reset link should be send only when there is a user entry with the provided email in ldap.

@syntrydy syntrydy added this to the 3.1.4 milestone Apr 27, 2018

@mzico

This comment has been minimized.

Contributor

mzico commented Apr 27, 2018

@syntrydy : don't you think it might leak certain 'true' information to crackers? As for example, if Gluu Server 'checks' for valid email_address.. it give a 'green signal' to cracker that... "Yes... this email_address is already here in Gluu Server".

@yurem : what do you think?

@sahiliamsso

This comment has been minimized.

Contributor

sahiliamsso commented Apr 27, 2018

Email validations are done at the backend. User receives link to reset password only when email is registered with GLUU. Otherwise this message is sent in email “This email address is not on our database of registered users and therefore the attempted password change has failed.”

@syntrydy

This comment has been minimized.

Contributor

syntrydy commented Apr 28, 2018

That is not the case @sahiliamsso , feel free to test with an unregistered email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment