search

sentora / sentora-core

Sentora is a web hosting control panel written in PHP for *NIX
GNU General Public License v3.0
648 stars 446 forks source link

Forgot password sends email to any address #17

Closed jacobgelling closed 10 years ago

jacobgelling commented 10 years ago

As reported by @zabounis in zpanel/zpanelx#202 - You can use the forgot password form to send a password reset link to any email address, even if they are not a registered Sentora user.

I'll fix tomorrow when I can figure out how to make multiple pull requests lol :question:

allebb commented 10 years ago

Jesus, how the hell did this go unnoticed! - I'll dig around the code and check it out today if I get 10 minutes free whilst at work!

On 31 July 2014 00:16, Jacob Gelling notifications@github.com wrote:

As reported by @zabounis https://github.com/zabounis in zpanel/zpanelx#202 https://github.com/zpanel/zpanelx/issues/202 - You can use the forgot password form to send a password reset link to any email address, even if they are not a registered Sentora user.

I'll fix tomorrow when I can figure out how to make multiple pull requests lol [image: :question:]

— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17.

Caffe1neAdd1ct commented 10 years ago

Looks like we could do with reviewing the forgotten password functionality completely to make sure it is secure and working as it should...

I'll also try and have a look if lunchtime is an option today...

allebb commented 10 years ago

Fully agree with you Kev, seems like the SQL code is a missing some additional clauses :) - I agree though, we should re-engineer that feature!

On 31 July 2014 10:49, Kevin Andrews notifications@github.com wrote:

Looks like we could do with reviewing the forgotten password functionality completely to make sure it is secure and working as it should...

I'll also try and have a look if lunchtime is an option today...

— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17#issuecomment-50738935.

jacobgelling commented 10 years ago

False alarm!!! In my tests this bug seems to be non existent...

People might be mistaken to think it sends a email to anyone as no error is given, but it doesn't actually do it. I should of checked this bug out properly last night but it was late :worried:

allebb commented 10 years ago

I was going to say lol... Last time I checked it was working fine :) - Couldn't see how we could have screwed that one up haha!

Can you just double check it again before I close the bug :)

On 31 July 2014 11:15, Jacob Gelling notifications@github.com wrote:

False alarm!!! In my tests this bug seems to be non existent...

People might be mistaken to think it sends a email to anyone as no error is given, but it doesn't actually do it. I should of checked this bug out properly last night but it was late [image: :worried:]

— Reply to this email directly or view it on GitHub https://github.com/sentora/sentora-core/issues/17#issuecomment-50741211.

jacobgelling commented 10 years ago

Yep, tested again and it doesn't exist.

Also found the code and it definitely checks that the email exists in the DB.

$sth = $zdbh->prepare("SELECT ac_id_pk, ac_user_vc, ac_email_vc FROM  x_accounts WHERE ac_email_vc = :forgotPass");
...
$rows = $sth->fetchAll();
if ($rows) {
allebb commented 10 years ago

Excellent, thought as much :)