[LUI-45] Forgotten Password Form Leaks Valid Usernames and 'forgotPassword' Page is Non-Functional - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Could
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0
Labels:

Complexity:
Low
Development:

Under Review1 build succeeded

Description

Credit: Timothy D. Morgan

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=
(to be entered)

In: https://192.168.2.164/openmrs/forgotPassword.form

Submitting invalid username returns "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password." while a valid username (but no secret question) yields "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password."

Further, submitting a valid username shows the secret question itself.

Gliffy Diagrams

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

(7102014).PNG
31 kB
2014-10-07 13:30:03 GMT
20122014.PNG
31 kB
2014-12-20 03:03:37 GMT
TRUNK-3933_p1.patch
2 kB
2013-04-10 06:13:45 GMT
Untitled.png
20 kB
2016-01-22 14:00:55 GMT
user_redirected_to_reset_page.png
36 kB
2016-01-22 14:00:56 GMT
valid_user_entering_password.png
20 kB
2016-01-22 14:00:56 GMT

Activity

People

Assignee:: Shreyans Sheth

Reporter:: Michael Downey

Designated Committer:: Daniel Kayiwa

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 2013-03-21 10:46:52 GMT

Updated:: 2016-01-22 14:00:56 GMT

Resolved:: 2016-01-21 21:18:16 GMT

Time Tracking

Estimated:

Remaining:

Logged: