CPANEL-40668 - Case sensitivity for usernames in webmail password reset
Please tell me this is a bug (v102.0.16):
We've got a bunch of users set up with alternate emails so they can reset their mail passwords. If user abc@domain.com has abc@gmail.com for a recovery address and puts in abc@domain.com for his email, the correct obscured recovery address hint comes up like a--c@g--l.com. Nice. Really saves on support.
However if the user enters Abc@domain.com, the recovery address is randomly generated like p--9@b--g.com and clearly invalid. Generates many trivial support tickets. Not nice.
Surely the user's email should be mapped to lowercase before looking for a recovery address?
-
A great question, one which deserves looking at in detail, so I'd like to bounce . Why would cpanel convert Abc to p-9. Clearly something isn't right. if the Cpanel guys don't come back with an answer, maybe a support request might be in order. 0 -
I *think* this has come up recently. Let me see if I can find a case... 0 -
Why would cpanel convert Abc to p-9. Clearly something isn't right.
It's a security thing. Since the provided email [incorrectly] doesn't match a valid email, cPanel is providing a bogus hint. It's basically random. That way someone phishing for a valid address gains no information from the attempt.0 -
I didn't find an existing case so I created CPANEL-40668 with our developers to address the case-sensitivity issue. Thanks for bringing this up! 0
Please sign in to leave a comment.
Comments
4 comments