Issue
Insecure default configuration may allow remote attackers to enumerate users' email addresses via the forgot password functionality. This can be a risk in the case of public-facing deployments.
Environment
- Liferay DXP 6.2 EE
- Liferay DXP 7.0-7.2
Resolution
It is recommended to set the portal property login.secure.forgot.password
to true
in your portal-ext.properties
.
On the specified product versions, this property defaults to "false":
# Set this to true to prevent attempts to enumerate the portal's users via
# the forgot password feature. This feature will no longer show an error
# that would reveal a user's existence.
login.secure.forgot.password=false
To avoid causing unwanted behavior change in existing deployments, Liferay will not change this default setting in a Fix Pack/Service Pack.
Long Term Resolution
In Liferay DXP 7.3 this property defaults to "true".
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In