Closed jacobgelling closed 10 years ago
Jesus, how the hell did this go unnoticed! - I'll dig around the code and check it out today if I get 10 minutes free whilst at work!
On 31 July 2014 00:16, Jacob Gelling notifications@github.com wrote:
As reported by @zabounis https://github.com/zabounis in zpanel/zpanelx#202 https://github.com/zpanel/zpanelx/issues/202 - You can use the forgot password form to send a password reset link to any email address, even if they are not a registered Sentora user.
I'll fix tomorrow when I can figure out how to make multiple pull requests lol [image: :question:]
— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17.
Looks like we could do with reviewing the forgotten password functionality completely to make sure it is secure and working as it should...
I'll also try and have a look if lunchtime is an option today...
Fully agree with you Kev, seems like the SQL code is a missing some additional clauses :) - I agree though, we should re-engineer that feature!
On 31 July 2014 10:49, Kevin Andrews notifications@github.com wrote:
Looks like we could do with reviewing the forgotten password functionality completely to make sure it is secure and working as it should...
I'll also try and have a look if lunchtime is an option today...
— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17#issuecomment-50738935.
False alarm!!! In my tests this bug seems to be non existent...
People might be mistaken to think it sends a email to anyone as no error is given, but it doesn't actually do it. I should of checked this bug out properly last night but it was late :worried:
I was going to say lol... Last time I checked it was working fine :) - Couldn't see how we could have screwed that one up haha!
Can you just double check it again before I close the bug :)
On 31 July 2014 11:15, Jacob Gelling notifications@github.com wrote:
False alarm!!! In my tests this bug seems to be non existent...
People might be mistaken to think it sends a email to anyone as no error is given, but it doesn't actually do it. I should of checked this bug out properly last night but it was late [image: :worried:]
— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17#issuecomment-50741211.
Yep, tested again and it doesn't exist.
Also found the code and it definitely checks that the email exists in the DB.
$sth = $zdbh->prepare("SELECT ac_id_pk, ac_user_vc, ac_email_vc FROM x_accounts WHERE ac_email_vc = :forgotPass");
...
$rows = $sth->fetchAll();
if ($rows) {
Excellent, thought as much :)
As reported by @zabounis in zpanel/zpanelx#202 - You can use the forgot password form to send a password reset link to any email address, even if they are not a registered Sentora user.
I'll fix tomorrow when I can figure out how to make multiple pull requests lol :question: