WBCE / WBCE_CMS

Core package of WBCE CMS. This package includes the core and the default addons. Visit https://wbce.org (DE) or https://wbce-cms.org (EN) to learn more or to join the WBCE CMS community.
https://wbce-cms.org
GNU General Public License v2.0
32 stars 22 forks source link

Forgot Password: Verification Link before reset #553

Open Forshock opened 1 year ago

Forshock commented 1 year ago

Forgot Password autmatically resets the password of the user and does not require verification of email access. This can be used to lock other users out by malicious actors.

Like the signup verify, allow for email verification before resetting the password.

Forshock commented 1 year ago

Additionally, changing the process for resets to limit User Enumeration attacks. Always send to "If account exists you will receive an email.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

instantflorian commented 1 year ago

A two-step-verification for restting the password is a good idea, not sure how to implement this. But giving no exact feedback imho does not really enhance the security very much (a attacker just tests a bulk of mailadresses, and needs access to that mailboxes anyway to recieve login credentials), but real users will be confused, because they wont't know if they had entered the right mail address or not. Also for fixing technical issues it's important to know whether a mail should have been sent or not. So I suggest to leave the message as is.

WebDesignWorx commented 1 year ago

I'd rather leave it as is. The only scenario I would bother with this issue is in the event when WBCE users start complaining about it. But so far I haven't heard from anyone.

mrbaseman commented 1 year ago

Well, we assume that the email addresses are correct in the database. We could implement a verification process in the context when accounts are created or email addresses are changed. The verification link for the changes should expire after a reasonable time span... There are a couple of details to evaluate carefully. Anyhow, in the context of a password reset one could argue that it's already too late to do the verification of the email address. If the attacker has already control over the inbox of this email account, he also receives the verification link. If not, he doesn't receive the new password either. In my opinion we can improve in the following aspects:

Forshock commented 1 year ago

After digging in a little, the existing signup confirmation process may be useful to process the request.

On signup the confirmcode and checksum are created (and updated). (account/confirm.php) User clicks link and a new random password is sent.

The only portion that may need change is in the account tool (tool_account_settings/account/form_forgot.php) Rather than change the password, the code & checksum are updated, and a new verification link is sent.

Forshock commented 1 year ago

And since I am referencing tool_account_settings: I cant find an explanation, but how is this a module when it is part of core functions? Would it not make more since to be within the framework? (New to this level of interaction on an open-source project so please forgive me if already mentioned or explained.)

WebDesignWorx commented 1 year ago

It is a module because sometimes people want to make changes to the functionality of this part of the CMS and rather than letting them do in in the core part we decided to make it a module. Also, you can reach the templates/layouts of the login/account etc. using 3rd party tools like the AFE, something you couldn't otherwise.