FINAL fix with tests for LUI-45 [Forgot Password Form Leaks Valid Usernames] (!33) · Merge requests · LibreHealth / LibreHealth Toolkit / lh-toolkit-legacyui

Saptarshi Purkayastha requested to merge pull/33/LUI-45-bholagabbar into master Jan 21, 2016

Created by: bholagabbar

This is the Final Fix for the Leakage of Usernames that was occurring when a user clicked on the 'forgotPassword' link.

https://issues.openmrs.org/browse/LUI-45
In light of recent comments on the ticket, it has come to notice that this is a serious security issue and must be resolved ASAP. If you see the comments, you will notice that this code fixes the issue as per ticket description and quite well in general.
The Issue: Whenever a hacker enters the name of a random user, and the user is valid, his/her secret question is shown. This is a major vulnerability that had to be addressed.

The Fix: The solution is to ask ANY user a secret question. If the user is invalid, a random Fake Secret Question is asked whose answer is always false and will not the user pass, locking him out after 5 tries. This secret question is assigned on the basis of the hashvalue of the entered username. basically, the hacker will never know if the user exists because a question is asked irrespective of whether a user is present and invalid users are never authenticated and locked out after 5 tries

FINAL fix with tests for LUI-45 [Forgot Password Form Leaks Valid Usernames]

Merge request reports