Comments (3)
Not sure this security issue is really usable:
- The victim is receiving an unsolicited, shifty password change mail
- the attack does not work if you have enabled the captcha
- and especially: there is already a configuration parameter for setting the URL : you just have to define:
# Reset URL (if behind a reverse proxy)
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
Maybe the only thing to do here is to insist on the use of $reset_url
in the documentation: https://self-service-password.readthedocs.io/en/stable/config_tokens.html#reset-url
from self-service-password.
See also Pull request: #824
from self-service-password.
This is a duplicate of #755
I agree with @davidcoutadeur we may only add a warning in the documentation
from self-service-password.
Related Issues (20)
- PHP Parse error: syntax error, unexpected variable "$ldap_bindpw" HOT 1
- self-service-password debian package not depending on smarty HOT 3
- Failed to modify the password for admin HOT 1
- Samba4 use tls HOT 5
- Configuration parameter $allowed_lang is ignored HOT 1
- add an indicator of entropy during password change HOT 4
- Docker: support volumes for configuration HOT 3
- Docker, Error "require_once(/usr/share/php/smarty3/Smarty.class.php) No such file or directory" HOT 3
- Update bootstrap library
- clean useless function show_policy
- LDAP - Bind error 49 (Invalid credentials) HOT 3
- error: SvcErr: DSID-03190F9E, HOT 3
- Added JS to prevent multiple submits HOT 1
- RPM spec file cleanup HOT 10
- update defuse-crypto library HOT 1
- Update bundled php/javascript libs versions HOT 4
- Update to smarty4 HOT 5
- deb cleanup HOT 4
- provide webserver configuration example as separate packages
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from self-service-password.