[Security]: Avoid user enumeration via reset password link (#808)

* fix potential email enumeration * Update LoginController.php * Update LoginController.php * Update LoginController.php
pimcore · Jan 14, 2025 · 96ae555 · 96ae555
1 parent 4132e38
commit 96ae555
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 21 deletions.
diff --git a/src/Controller/Admin/LoginController.php b/src/Controller/Admin/LoginController.php
@@ -274,18 +274,13 @@ public function lostpasswordAction(
 
             if ($error) {
                 Logger::error('Lost password service: ' . $error);
+                //to avoid timing based enumeration
+                usleep(random_int(50,200));
             }
         }
 
         $csrfProtection->regenerateCsrfToken($request->getSession());
 
-        if ($error) {
-            $params['reset_error'] = 'Please make sure you are entering a correct input.';
-            if ($error === 'user_reset_password_too_many_attempts') {
-                $params['reset_error'] = 'Too many attempts. Please retry later.';
-            }
-        }
-
         return $this->render('@PimcoreAdmin/admin/login/lost_password.html.twig', $params);
     }
 

diff --git a/templates/admin/login/lost_password.html.twig b/templates/admin/login/lost_password.html.twig
@@ -3,20 +3,11 @@
 {% block content %}
 
     {% if app.request.method == 'POST' %}
-        {% if reset_error is not defined %}
-            <div class="text success">
-                {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
-                <br/>
-                {{ 'Please check your mailbox.'|trans([],'admin') }}
-            </div>
-        {% else %}
-            <div class="text error">
-                {{ 'An error occured when resetting password:'|trans([],'admin') }}
-                {{ reset_error|trans([],'admin') }}
-                <br/>
-                {{ 'Please retry again later or contact an administrator.'|trans([],'admin') }}
-            </div>
-        {% endif %}
+        <div class="text success">
+            {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
+            <br/>
+            {{ 'Please check your mailbox.'|trans([],'admin') }}
+        </div>
     {% else %}
         <div class="text info">
             {{ 'Enter your username and pimcore will send a login link to your email address'|trans([],'admin') }}