security breach

[Wittemberg]

I found a security flaw that I found bizarre.

I simulated losing my password... then I clicked on recover and it gave me an error, as I hadn't configured SMTP... In the error message that appeared on the screen, I had the new password... lol

[cashewcodes9]

I found the same issue and this need to be fixed ASAP as it is related to security breach.

[alextselegidis]

Hello!

Thanks for sharing this.

This will only happen if the DEBUG mode is enabled, which is not related to production installations.

However we should in general avoid this, so I will change the debug output to not include passwords.

Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote!

[cashewcodes9]

The app is not in dubug mode and is running with clounron. The smtp mail setup is wrong and password is included in the error. Is there anything I can provide for further debugging? THanks.

[rezzorix]

Just adding to see if I understand this right:

That this scenario plays the following conditions must be met:

• username known
• email address known
• smtp configured wrongly by user

Do I understand this right?

edit: @cashewcodes9 I also believe the software is in debug mode by default. You would need to change it after setup.

[alextselegidis]

Hello!

Clarification: the app is not in debug mode by default. This is something you can configure in the root config.php

Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote!

[rezzorix]

Hello!

Clarification: the app is not in debug mode by default. This is something you can configure in the root config.php

Sorry, yes I just checked my file and the debug was set to true in my config.php.... not sure where it came from, probably better for people to check their config.php if they like I did modified something and then forgot about. I have also checked the latest release, the config-sample.php is definitely not in debug mode.