FINAL fix with tests for LUI-45 [Forgot Password Form Leaks Valid Usernames] #33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
There was a problem hiding this comment.
The generated password needs to be longer than the value of the required minimum password length, an arbitrary number like 8 should be used as the default value in case the global property is not set otherwise this will fail if the amdin has set the global property to a longer value like 12
1a33f02 to
4d0b10a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the Final Fix for the Leakage of Usernames that was occurring when a user clicked on the 'forgotPassword' link.
https://issues.openmrs.org/browse/LUI-45
In light of recent comments on the ticket, it has come to notice that this is a serious security issue and must be resolved ASAP. If you see the comments, you will notice that this code fixes the issue as per ticket description and quite well in general.
The Issue: Whenever a hacker enters the name of a random user, and the user is valid, his/her secret question is shown. This is a major vulnerability that had to be addressed.
The Fix: The solution is to ask ANY user a secret question. If the user is invalid, a random Fake Secret Question is asked whose answer is always false and will not the user pass, locking him out after 5 tries. This secret question is assigned on the basis of the hashvalue of the entered username.
basically, the hacker will never know if the user exists because a question is asked irrespective of whether a user is present and invalid users are never authenticated and locked out after 5 tries