Hello, I am on 1.6.2. version of InvoicePlane. The password reset link will send emails to whatever email the user enters in password reset field. The app shouldn’t send emails in a case user doesn’t exist after he clicks on reset password. Because a bot can go on website and start to abuse the form and server will send emails to non existent email addresses and eventually will end at RBL.
Thanks for reporting that
I would have preferred if you had sent it to mail@invoiceplane.com according t the security.md file, but ok.
Make a PR that receives the email address from the paasword reset link and tries to prevent the abuse when email address isn’t found.
Basically blocking bots from abusing the link
Hello, don’t know if that was pointed for me to do on my installation but I am just a user, don’t have enough PHP knowledge to modify it. I have found two files but cannot tell if those are only related:
./application/modules/sessions/views/session_passwordreset.php
./application/views/emails/passwordreset.php
https://github.com/InvoicePlane/InvoicePlane/blob/development/application/modules/sessions/controllers/Sessions.php#L91
This will just log but server still sends an email:
if ( ! filter_var($email, FILTER_VALIDATE_EMAIL)) {
log_message('error', 'Incoming email is not a valid email address in passwordreset ' . $email);
redirect('/');
}
And this is preventing abuse of the server to send to one email address more than 10 emails but if you enter different ones (or fake ones that bot generates randomly) they all go through.
//prevent brute force attacks by counting password resets
$login_log_check = $this->_login_log_check($email);
if ( ! empty($login_log_check) && $login_log_check->log_count > 10) {
redirect($_SERVER['HTTP_REFERER']);
} else {
//a password recovery attempt counts as failed login
$this->_login_log_addfailure($email);
}
1 Like