Uploaded image for project: 'Legacy UI Module'
  1. Legacy UI Module
  2. LUI-45

Forgotten Password Form Leaks Valid Usernames and 'forgotPassword' Page is Non-Functional

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      Credit: Timothy D. Morgan

      CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=
      (to be entered)

      In: https://192.168.2.164/openmrs/forgotPassword.form

      Submitting invalid username returns "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password." while a valid username (but no secret question) yields "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password."

      Further, submitting a valid username shows the secret question itself.

        Attachments

        1. (7102014).PNG
          (7102014).PNG
          31 kB
        2. 20122014.PNG
          20122014.PNG
          31 kB
        3. TRUNK-3933_p1.patch
          2 kB
        4. Untitled.png
          Untitled.png
          20 kB
        5. user_redirected_to_reset_page.png
          user_redirected_to_reset_page.png
          36 kB
        6. valid_user_entering_password.png
          valid_user_entering_password.png
          20 kB

          Activity

            People

            Assignee:
            bholagabbar Shreyans Sheth
            Reporter:
            michael Michael Downey
            Designated Committer:
            Daniel Kayiwa
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Time Spent - 3 hours Remaining Estimate - 1 hour
                1h
                Logged:
                Time Spent - 3 hours Remaining Estimate - 1 hour Time Not Required
                3h