request #14709 Lost password procedure can be used to spam a user

Artifact

Infos

Artifact ID#14709

Submitted byThomas Gerbet (tgerbet)

Last Modified On2020-06-16 12:24

Submitted on2020-03-23 09:44

Rank15957

Details

Summary *

Lost password procedure can be used to spam a user

Original Submission

An annoying user only knowing the username of another user can use the "Lost password" procedure to send him/her a lot of mails.

Besides being annoyed by those emails, there is not much risk with them: the content of the emails is not under the control of the annoying user and it is not a DoS risk (password procedure still works and the legitimate user can still login).

Credits

Issue has been reported by Ronit Bhatt via the security bug report procedure.

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2020-06-16

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #14816	Tuleap	Releases	11.16	Delivered	2020-29-06 11:51	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #14709

Git commit

tuleap/tuleap/stable

Move Tuleap\User\Password\Reset\LostPasswordDAO to Tuleap\DB\DataAccessObject 4ffe9f5d46

Thomas Gerbet (tgerbet) , 2020-06-10 19:32

Rate-limit per user the lost password procedure 688f7e443b

Thomas Gerbet (tgerbet) , 2020-06-15 16:55

Show items referenced by request #14709

Referenced by request #14709

Artifact Tracker v5

rel #14816 11.16

Other

gerrit #19193

gerrit #19235

Follow-ups

Joris MASSON (jmasson)

2020-06-16 12:24

gerrit #19235 integrated into Tuleap 11.15.99.137

Status changed from Verified to Closed
Connected artifacts
- Added Fixed in: rel #14816
Close date set to 2020-06-16

Joris MASSON (jmasson)

2020-06-15 14:33

gerrit #19193 integrated into Tuleap 11.15.99.130

Thomas Gerbet (tgerbet)

2020-03-24 11:22

Adding credits.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Public