Secure /reset from "leaking" email address info #4918

julianlam · 2016-08-08T13:28:58Z

If an email is found in the database, you get "password reset sent". If not, you get an error alert saying the email doesn't exist.

A malicious user may use this as an interface to determine which emails are registered.

Suggestions:

The server response should always be the same, an .alert-info saying "If this email address is found in our records, we will send a password reset request"
If you hit the /reset route over a certain threshold, you should be blocked from using the form.

The text was updated successfully, but these errors were encountered:

pichalite · 2016-08-08T13:36:03Z

👍

…ic** <NodeBB/NodeBB#4909> <apxltd/what-bugs#50> - Composer drag-and-drop target area contains entire composer, not just textarea <NodeBB/nodebb-plugin-composer-default#55> - Fixed an admin panel client side graph problem <NodeBB/NodeBB#4921> - Properly handle npm v3 dependencies <NodeBB/NodeBB@19b4679> - Stopped the password reset page from revealing whether an email address existed in the database <NodeBB/NodeBB#4918> - "Fork topic" style changes <NodeBB/nodebb-theme-persona#306> - Fixed `unsaved-changes` popup <akhoury/nodebb-plugin-spam-be-gone#49> - **Added forum-wide setting: "Number of replies after users are disallowed to delete their own topics."** <NodeBB/NodeBB#4919> - Fixed username being missing from the account info page's breadcrumb <NodeBB/NodeBB#4930> - Allow first page of group members to be retrieved via websocket <NodeBB/NodeBB#4934>

julianlam added the enhancement label Aug 8, 2016

julianlam closed this as completed in fd8f5f9 Aug 9, 2016

julianlam self-assigned this Aug 9, 2016

julianlam added this to the 1.1.2 milestone Aug 9, 2016

Provide feedback