In Progress CPANEL-40668 - Case sensitivity for usernames in webmail password reset

[LoadFactor]

Please tell me this is a bug (v102.0.16):

We've got a bunch of users set up with alternate emails so they can reset their mail passwords. If user [email protected] has [email protected] for a recovery address and puts in [email protected] for his email, the correct obscured recovery address hint comes up like [email protected]. Nice. Really saves on support.

However if the user enters [email protected], the recovery address is randomly generated like [email protected] and clearly invalid. Generates many trivial support tickets. Not nice.

Surely the user's email should be mapped to lowercase before looking for a recovery address?

 

[keat63]

A great question, one which deserves looking at in detail, so I'd like to bounce .

Why would cpanel convert Abc to p-9.
Clearly something isn't right.

if the Cpanel guys don't come back with an answer, maybe a support request might be in order.

 

[cPRex]

I *think* this has come up recently. Let me see if I can find a case...

 

[LoadFactor]

Why would cpanel convert Abc to p-9.
Clearly something isn't right.

It's a security thing. Since the provided email [incorrectly] doesn't match a valid email, cPanel is providing a bogus hint. It's basically random. That way someone phishing for a valid address gains no information from the attempt.

 

[cPRex]

I didn't find an existing case so I created CPANEL-40668 with our developers to address the case-sensitivity issue. Thanks for bringing this up!