Results 1 to 4 of 4
  1. #1
    Join Date
    Nov 2008
    Posts
    46
    Plugin Contributions
    0

    Default *[Done v1.6.0] Lost password email request error message incorrect

    I think this problem may be causing some confusion.

    If you enter a CORRECT email address to reset your password you get a message to say :

    "A new password has been sent to the email address you entered.
    Click "login" below to login with the new temporary password."

    This is highlighted in green.

    However, if you send it to an INCORRECT address you get the SAME message but highlighted in red.

    So the colour changes depending on the class, but it is using the same message.

    So you think the mail has gone but it hasn't. I guess there should also be a 'try again' button.

    The problem is in password_forgotten.php at Line 46

    Code:
    $email_message = MESSAGE_PASSWORD_SENT;
    This is the same as 66 but I think it should be as follows :

    Code:
    $email_message = ERROR_WRONG_EMAIL;
    Patch as below (assuming you haven't renamed your admin folder)

    B. Rgds
    John


    ### Patch
    #P ZenCart
    Index: admin/password_forgotten.php
    ===================================================================
    --- admin/password_forgotten.php (revision 77)
    +++ admin/password_forgotten.php (working copy)
    @@ -43,7 +43,7 @@
    if (! ($admin_email == $result->fields['admin_email']))
    {
    $error = true;
    - $email_message = MESSAGE_PASSWORD_SENT;
    + $email_message = ERROR_WRONG_EMAIL;
    }
    // BEGIN SLAM PREVENTION
    if ($_POST['admin_email'] != '')

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Lost password email request error message incorrect

    Question:
    Do you think it's wise to confirm to a malicious visitor whether they've guessed your username correctly?
    Or is it safer to give the same message to all visitors regardless of whether they've guessed the value accurately?

    A bonafide trusted legitimate user will be able to supply accurate information without needing to be told that they were correct, wouldn't they?


    So, really the better fix is to make sure that not only the "text" is the same, but so is the color. We'll look into doing that in the next update. Thanks for pointing out the inconsistency.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Nov 2008
    Posts
    46
    Plugin Contributions
    0

    Default Re: Lost password email request error message incorrect

    Quote Originally Posted by DrByte View Post
    Question:
    Do you think it's wise to confirm to a malicious visitor whether they've guessed your username correctly?
    Or is it safer to give the same message to all visitors regardless of whether they've guessed the value accurately?

    A bonafide trusted legitimate user will be able to supply accurate information without needing to be told that they were correct, wouldn't they?

    So, really the better fix is to make sure that not only the "text" is the same, but so is the color. We'll look into doing that in the next update. Thanks for pointing out the inconsistency.

    Hmm, not sure if you understood me or that I was clear in my original post. In the first instance this was solely for an admin password reset. Not admin username or normal user/password.

    I entered what I thought was the correct email address and got a nice notice saying email was sent. So I sat and waited. And awaited, and waited. Until I figure something might be wrong. So I tried again. Another wait.

    When I entered the email address I got the following message in red :

    "A new password has been sent to the email address you entered.
    Click "login" below to login with the new temporary password."

    This is clearly wrong.

    I believe the code in the page was incorrect. With the change I made, on entry of a wrong password you now get the following in red :

    "You entered the wrong email address."

    This is correct and gives nothing away by doing this.

    B. Rgds
    John

    PS on this :

    A bonafide trusted legitimate user will be able to supply accurate information without needing to be told that they were correct, wouldn't they?
    You would think so. I am the admin, but after 2 weeks of not using it, *I* couldn't remember my login details. So I made a guess at the email address for a password reset, and then believed the message sat in front of me which told me it had sent me a mail which it hadn't :-) Doh !

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Lost password email request error message incorrect

    Okay.

    The new message will be: "Thank you. If the email address you entered matches an admin account in our database, then a new password will be sent to that email address. Please read that email and then click "login" below to login with the new temporary password."
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v150 Customer Login Error - No incorrect user/password prompt
    By twistedmilas89 in forum General Questions
    Replies: 8
    Last Post: 8 Mar 2012, 02:33 AM
  2. Error message after Forgotten Password email
    By hairydog in forum General Questions
    Replies: 5
    Last Post: 22 Jan 2010, 10:24 AM
  3. Physical Path is incorrect error message
    By zanosport in forum Installing on a Linux/Unix Server
    Replies: 2
    Last Post: 13 Aug 2009, 11:24 PM
  4. Can't request password due to new email address
    By hambone in forum General Questions
    Replies: 5
    Last Post: 12 Dec 2008, 12:57 AM
  5. Customer lost password email
    By phazlee in forum Managing Customers and Orders
    Replies: 19
    Last Post: 10 Nov 2007, 02:36 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR