security: Username Discoverability

This mitigates a vulnerability reported by haxtron on [huntr.dev](https://huntr.dev/) where usernames can be discovered by the message returned when a username is invalid. This makes it to where regardless of if the username is correct or not it will display a message stating `If the information provided is valid a password reset email will be sent to the email address you have on file.`. This blocks the chance of someone finding a valid username by brute force guessing.
osTicket · Oct 7, 2021 · 86165c2 · 86165c2
1 parent e282910
commit 86165c2
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 6 deletions.
diff --git a/include/client/pwreset.sent.php b/include/client/pwreset.sent.php
@@ -5,7 +5,7 @@
 
 <form action="pwreset.php" method="post" id="clientLogin">
 <div style="width:50%;display:inline-block"><?php echo __(
-    'We have sent you a reset email to the email address you have on file for your account. If you do not receive the email or cannot reset your password, please submit a ticket to have your account unlocked.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. If you do not receive the email or have trouble reseting your password, please contact support.'
 ); ?>
     </div>
 </form>
diff --git a/include/staff/pwreset.sent.php b/include/staff/pwreset.sent.php
@@ -15,7 +15,7 @@
     </a></h1>
     <h3><?php echo __('A confirmation email has been sent'); ?></h3>
     <h3 style="color:black;"><em><?php echo __(
-    'A password reset email was sent to the email on file for your account.  Follow the link in the email to reset your password.'
+    'If the information provided is valid a password reset email will be sent to the email address you have on file. Follow the link in the email to reset your password.'
     ); ?>
     </em></h3>
 

diff --git a/pwreset.php b/pwreset.php
@@ -29,8 +29,8 @@
                         .' '.__('Internal error occurred');
             }
             else
-                $banner = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $inc = 'pwreset.sent.php';
+
             break;
         case 'reset':
             $inc = 'pwreset.login.php';

diff --git a/scp/pwreset.php b/scp/pwreset.php
@@ -53,8 +53,7 @@
                 }
             }
             else
-                $msg = sprintf(__('Unable to verify username %s'),
-                    Format::htmlchars($_POST['userid']));
+                $tpl = 'pwreset.sent.php';
             break;
         case 'newpasswd':
             // TODO: Compare passwords