Modified lostpass.php and user.php to avoid a username leak when usin…

[kevinpetit]

This modifies the language string "_US_PWDMAILED" to no longer display the username of the user associated with the email and removes the username getting passed through in the header.

This fixes a security (OWASP user enumeration) issue where a hacker could use an e-mail to:

1. Verify that there is an account assigned to that e-mailaddress
2. Find out what the username assigned to that e-mailaddress is.

In modern applications, we should NEVER confirm if an account exists on a password reset page and certainly not give the user ID.

Further checks should still be added in another PR to add in rate limits and the trigger of a CAPTCHA upon multiple attempts.

Summary by CodeRabbit

• New Features
  • Replaced multiple password/reset notices with a single, clearer message: users are informed that if an account exists they will receive password reset instructions and to check spam/junk or contact the site administrator.
  • Post-reset and redirect notices no longer include usernames or account identifiers in the displayed messages, reducing disclosure of account details.
  • Messaging is now uniform across password/reset flows.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Replaced three user-facing language constants with a single generic password-reset instruction and updated lostpass.php to use the non-personalized message constant (removed username interpolation from redirect and confirmation output).

Changes

Cohort / File(s)	Summary
Language constants (password messages) htdocs/language/english/user.php	Replaced _US_SORRYNOTFOUND, _US_PWDMAILED, and _US_CONFMAIL values with a single generic password-reset instruction; removed prior personalized wording and an adjacent comment line.
Password reset redirect / confirmation htdocs/lostpass.php	Switched redirect and confirmation output to use the static _US_PWDMAILED / _US_CONFMAIL constants without sprintf or inserting the user's uname into the message.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main security fix: preventing username leakage in the password-reset flow by modifying lostpass.php and user.php.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aims to reduce user-enumeration risk in the core password recovery flow by removing username disclosure from the post-reset redirect message and updating the corresponding language string.

Changes:

• Removed username interpolation when redirecting after a successful password reset in lostpass.php.
• Updated _US_PWDMAILED to a generic, non-identifying password reset message in the English user language file.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
htdocs/lostpass.php	Stops passing the username into the redirect message after password reset.
htdocs/language/english/user.php	Replaces _US_PWDMAILED with a generic, non-enumerating message.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

Verify each finding against the current code and only fix it if needed.


In `@htdocs/language/english/user.php`:
- Around line 63-69: Calls that wrap the language constants with sprintf/printf
and pass username args are still present; locate the usages where
sprintf(_US_PWDMAILED, $user->getVar('uname')), printf(_US_CONFMAIL,
$user->getVar('uname')) and printf(_US_CONFMAIL, $getuser[0]->getVar('uname'))
are used and remove the sprintf/printf wrapper and the username argument so the
code simply outputs the constant (e.g., use the constant directly with
echo/redirect/mail APIs), and delete any unnecessary $user->getVar('uname') /
$getuser[0]->getVar('uname') fetches to avoid extra work and prevent
reintroducing user enumeration.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@htdocs/lostpass.php`:
- Line 94: The echoed confirmation header in lostpass.php currently outputs raw
_US_CONFMAIL; update the echo in the block that prints the confirmation message
(the line using echo '<h4>' . _US_CONFMAIL . '</h4>'; ) to escape the value with
htmlspecialchars(_US_CONFMAIL, ENT_QUOTES, 'UTF-8') so the output is properly
HTML-escaped before rendering.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mambax7]

Thank you, @kevinpetit