From 86165c2e6b847d910bc3fc93444d18b6173215de Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Thu, 7 Oct 2021 14:39:21 +0000
Subject: [PATCH] security: Username Discoverability

This mitigates a vulnerability reported by haxtron on
[huntr.dev](https://huntr.dev/) where usernames can be discovered by the
message returned when a username is invalid. This makes it to where
regardless of if the username is correct or not it will display a message
stating `If the information provided is valid a password reset email will be
sent to the email address you have on file.`. This blocks the chance of
someone finding a valid username by brute force guessing.
---
 include/client/pwreset.sent.php | 2 +-
 include/staff/pwreset.sent.php  | 2 +-
 pwreset.php                     | 4 ++--
 scp/pwreset.php                 | 3 +--
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/include/client/pwreset.sent.php b/include/client/pwreset.sent.php
index 91c4720bce..6afcb3f91c 100644
--- a/include/client/pwreset.sent.php
+++ b/include/client/pwreset.sent.php
@@ -5,7 +5,7 @@
 
 <form action="pwreset.php" method="post" id="clientLogin">
 <div style="width:50%;display:inline-block"><?php echo __(
-    'We have sent you a reset email to the email address you have on file for your account. If you do not receive the email or cannot reset your password, please submit a ticket to have your account unlocked.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. If you do not receive the email or have trouble reseting your password, please contact support.'
 ); ?>
     </div>
 </form>
diff --git a/include/staff/pwreset.sent.php b/include/staff/pwreset.sent.php
index bd6ce08963..d918d3449f 100644
--- a/include/staff/pwreset.sent.php
+++ b/include/staff/pwreset.sent.php
@@ -15,7 +15,7 @@
     </a></h1>
     <h3><?php echo __('A confirmation email has been sent'); ?></h3>
     <h3 style="color:black;"><em><?php echo __(
-    'A password reset email was sent to the email on file for your account.  Follow the link in the email to reset your password.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. Follow the link in the email to reset your password.'
     ); ?>
     </em></h3>
 
diff --git a/pwreset.php b/pwreset.php
index b2c42a6a79..3dff5c0653 100644
--- a/pwreset.php
+++ b/pwreset.php
@@ -29,8 +29,8 @@
                         .' '.__('Internal error occurred');
             }
             else
-                $banner = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $inc = 'pwreset.sent.php';
+
             break;
         case 'reset':
             $inc = 'pwreset.login.php';
diff --git a/scp/pwreset.php b/scp/pwreset.php
index 10ce4fd76a..0be74c62c7 100644
--- a/scp/pwreset.php
+++ b/scp/pwreset.php
@@ -53,8 +53,7 @@
                 }
             }
             else
-                $msg = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $tpl = 'pwreset.sent.php';
             break;
         case 'newpasswd':
             // TODO: Compare passwords