From 2d49bde7bc3f8a73b325064549b41e1cf341e5d7 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Tue, 30 Apr 2024 18:51:52 +0530
Subject: [PATCH] Fix to send neutral response for forgotpassword

---
 .../modules/CustomerPortal/apis/ForgotPassword.php    | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/apis/ForgotPassword.php b/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/apis/ForgotPassword.php
index ad8ce5a8d..7a92706e2 100644
--- a/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/apis/ForgotPassword.php
+++ b/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/apis/ForgotPassword.php
@@ -16,6 +16,10 @@ class CustomerPortal_ForgotPassword extends CustomerPortal_API_Abstract {
 		$user = new Users();
 		$current_user = $user->retrieveCurrentUserInfoFromFile($userId);
 
+		// send back neutral response to avoid CRM system state or user enumeration attacks.
+		$neutralResponse = new CustomerPortal_API_Response(); // set this to false in case you need specific response.
+		$neutralResponse->setResult(vtranslate('LBL_MAIL_SENT', 'HelpDesk'));
+
 		$response = new CustomerPortal_API_Response();
 		$mailid = $request->get('email');
 		$current_date = date("Y-m-d");
@@ -68,14 +72,15 @@ class CustomerPortal_ForgotPassword extends CustomerPortal_API_Abstract {
 				}
 				$response->setResult($ret_msg);
 			} else if ($isActive && $support_end_date <= $current_date) {
-				throw new Exception('Access to the portal was disabled on '.$support_end_date, 1413);
+				if (!$neutralResponse) throw new Exception('Access to the portal was disabled on '.$support_end_date, 1413);
 			} else if ($isActive == 0) {
-				throw new Exception('Portal access has not been enabled for this account.', 1414);
+				if (!$neutralResponse) throw new Exception('Portal access has not been enabled for this account.', 1414);
 			}
 		} else {
 			$response->setError('1412', 'Invalid email');
 		}
-		return $response;
+
+		return $neutralResponse ? $neturalResponse : $response;
 	}
 
 	function authenticatePortalUser($username, $password) {
-- 
GitLab