Hello,
No matter what garbage email I make up the Forgotten Password routine always replies with the SUCCESS_PASSWORD_SENT message.
Additionally a search of the entire install's code for the TEXT_NO_EMAIL_ADDRESS_FOUND constant comes up empty except for the define() call in includes/languages/english/password_forgotten.php...
define('TEXT_NO_EMAIL_ADDRESS_FOUND', 'Error: The Email Address was not found in our records; please try again.');
define('SUCCESS_PASSWORD_SENT', 'A new password has been sent to your email address.');
In header_php.php I see
if ($check_customer->RecordCount() > 0) {
...
} else {
$zco_notifier->notify('NOTIFY_PASSWORD_FORGOTTEN_NOT_FOUND', $email_address);
}
$messageStack->add_session('login', SUCCESS_PASSWORD_SENT, 'success');
Since the success message is outside that conditional maybe that is why we always see the success message?
Additionally in my whole install I cannot find any other reference to NOTIFY_PASSWORD_FORGOTTEN_NOT_FOUND.
Is this a bug? How do I get notification of a bad email address delivered to screen here?
TIA
David
Results 1 to 3 of 3
-
26 Jan 2015, 11:03 PM #1
New Zenner
- Join Date
- Jul 2014
- Location
- New Orleans LA
- Posts
- 26
- Plugin Contributions
- 0
False Positive Response on Forgotten Password Page
-
27 Jan 2015, 12:17 AM #2
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: False Positive Response on Forgotten Password Page
No, it's not a bug. It's intentional.
Originally Posted by jerrygarciuh
Think of it this way: if a hacker is trying to guess usernames to get into your store by submitting thousands of possibilities to that page, and the Password Forgotten tells them when they have a bad one, but does something different when they find a good one, then BAM, the hacker suddenly has 50% of the information they need to break into your store.
Industry standard security rules state that security-related forms should NEVER disclose any evidence of failure different from success.
If you dislike the word 'success' being on-screen, then simply reword the message to "If the email address you entered is found in our system, password reset instructions have been emailed to you."
In fact, I believe the current version of Zen Cart does exactly that..
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
27 Jan 2015, 12:38 AM #3
New Zenner
- Join Date
- Jul 2014
- Location
- New Orleans LA
- Posts
- 26
- Plugin Contributions
- 0
Re: False Positive Response on Forgotten Password Page
I wondered if that might be the case but the presence of TEXT_NO_EMAIL_ADDRESS_FOUND in the file muddied the water and suggested that the functionality existed to notify users of a lack of a match.
Thank you very much for the reply! I'll let my client know.
David
Reply With Quote
Similar Threads
-
v151 Password Forgotten page not working
By aperfecthost in forum General QuestionsReplies: 3Last Post: 1 Apr 2015, 12:01 AM -
v139h Forgotten Password page missing
By weirdorecords in forum Templates, Stylesheets, Page LayoutReplies: 22Last Post: 13 May 2012, 07:55 AM -
Page response on Forgotten Password form
By timatidg in forum General QuestionsReplies: 2Last Post: 28 Aug 2010, 12:03 AM -
Norton security warning - false positive?
By DocRocks in forum General QuestionsReplies: 2Last Post: 6 Oct 2009, 05:52 PM -
[False Positive] Cross Site Scripting PCI Compliance
By dzero in forum Bug ReportsReplies: 4Last Post: 22 Apr 2009, 05:13 PM
Bookmarks