From 5d30c9517d34912a1b83c02685391d417c9af019 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marc=20V=C3=A9ron?= Date: Tue, 23 May 2017 07:08:41 +0200 Subject: [PATCH] Bug 18653: Possible privacy breach with OPAC password recovery OPAC password recovery allows to find out which email address belongs to an account. An attacker could systematically guess login names. If they hit an existing one, OPAC displays a message like: An email has been sent to "xxx@yyy.zz". Having a combination of login name and email, attackers could use the information e.g. for phishing or other personalized actions. To reproduce: - Enable OPAC password recovery (syspref OpacResetPassword) - 'Guess' a login name e.g. by using a common pattern like ptester for Peter Tester - If such account exists, you get to know the related email address This patch removes the email address from the success message. Additionaly, it changes wording to address Bug 18570 ('will be sent' instead of 'has been sent') Signed-off-by: Marcel de Rooy Simplified the wording. "Will be sent shortly" is used elsewhere too. Signed-off-by: Jonathan Druart (cherry picked from commit eddf975cf0244c731f987c64af5126090f73f9f2) Signed-off-by: Fridolin Somers (cherry picked from commit 2d1dad1a4afa1bfaa14715b7953ed8265dbdb398) Signed-off-by: Katrin Fischer --- .../opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt index 9d27b4b856..b5bfe36f17 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt @@ -107,7 +107,7 @@ [% ELSIF (mail_sent) %]

- An email has been sent to "[% email %]". + You will receive an email shortly.
Please click the link in this email to finish the process of resetting your password.
This link is valid for 2 days starting now.

-- 2.39.5