Final fix with tests for LUI-45 [Forgot Password Form Leaks Valid Usernames] (!31) · Merge requests · LibreHealth / LibreHealth Toolkit / lh-toolkit-legacyui

Saptarshi Purkayastha requested to merge pull/31/LUI-45-bholagabbar into master Jan 20, 2016

Created by: bholagabbar

This is the Final Fix for the Leakage of Usernames that was occurring when a user clicked on the 'forgotPassword' link.

https://issues.openmrs.org/browse/LUI-45

The Issue: Whenever a hacker enters the name of a random user, and the user is valid, his/her secret question is shown. This is a major vulnerability that had to be addressed.

The Fix: The solution is to ask ANY user a secret question. If the user is invalid, a random Fake Secret Question is asked whose answer is always false and will not the user pass, locking him out after 5 tries. This secret question is assigned on the basis of the hashvalue of the entered username.

Final fix with tests for LUI-45 [Forgot Password Form Leaks Valid Usernames]

Merge request reports