HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Security/spam issue: Limit Reset Password Feature to Emails Only
Anonymoose
✭✭
Comments
They shouldn't have permission to do the the reset in the first place
You can not reset either, unless you have access to the email
Are you talking about password request or password request. With request you get an url with a special code to reset the password. if they don't have access tot he email it shoudl be possible.
The only other thing is supposed to be for admins.
If this is happening I would suspect Cross site scripting, which mean they can do other admin tasks too. Ther have been some examples of this.
grep is your friend.
That's true: although button on "Forgot password" link reads "Request a new password", it only sends a link to reset password
password theoretically can not be changed. but an email is still sent to the user when a spammer fakes a username on forgot password., it still sends an e-mail I believe and can flood the users inbox.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
What someone could do is spoof the email or some other story, in the hope that the genuine user will bee foolish to enough put the existing password in. However that is just phishing, you have no control over that.
This particular thing maybe an annoyance, but highlight someone is trying it on. it doesn't stop some logging in normally.
grep is your friend.
Flooding inboxes, while annoying, gives away that someone is doing it.
Assuming it is a vindictive community member, access logs will help determine who it is.
Is the request password function rate limited?
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Good to know. I thought it actually resets the password and send an email with the new one.
It is still an annoyance to get these password reset emails that others request. Emails are hidden, but usernames are not hidden from guests. The chance of guessing an email is low, and this problem of malicious password reset emails can be eliminated by making it emails only.
Yes, but it can be someone who is no longer, or never was, part of the community.
If you have 12 email addresses like me and can't remember which one you used on that forum, suddenly requiring the email isn't so cool.
I don't see what gain someone could get from programming a bot to send you spurious request emails so it seems like a weird problem not worth changing the software for.
They gain 'lolz' from being annoying.
lolz
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
There is a whole culture of people on the internet that do things with no apparent purpose other than get excited from the fact that they are annoying others. In such an environment, hardening software to limit points of exposure to malicious users while at the same time making it usable to intended categories of users is necessary.
I haven't tested if it affects other areas of signing in. but if its worth it to you, you could experiment.
comment out this line
https://github.com/vanilla/vanilla/blob/2.1/applications/dashboard/models/class.usermodel.php#L3180
or write a plugin that gets called after $this->FireEvent('BeforePasswordRequest'); and create a new view as well.
that re-checks only user e-mail only if you want.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Thanks! @peregrine
Interesting that this topic has been brought up in the past, and ignored.
http://vanillaforums.org/discussion/8055/password-reset-spam-bug
Coming back a week later to bump this with a link to a post 6 years ago about Vanilla 1 to imply you're being "ignored" makes it sound like you want to frame us as negligent for not agreeing to / prioritizing the thing you want. If you'd like it changed, file an issue and send a pull request with an explanation. Or write a plugin.
I'm not into it, so I'm not going to add that to my insane pile of work to do. That doesn't mean I'm denying it entrance to core or something.