Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

Security/spam issue: Limit Reset Password Feature to Emails Only

AnonymooseAnonymoose ✭✭
edited June 2014 in Feedback

Malicious users and scripts can reset the passwords of known usernames, creating an annoyance for forum users.

Suggestion: Limit the reset password feature to accept emails only, not usernames.

R_Jperegrine

Comments

  • They shouldn't have permission to do the the reset in the first place

    You can not reset either, unless you have access to the email

    Are you talking about password request or password request. With request you get an url with a special code to reset the password. if they don't have access tot he email it shoudl be possible.

    The only other thing is supposed to be for admins.

    If this is happening I would suspect Cross site scripting, which mean they can do other admin tasks too. Ther have been some examples of this.

    grep is your friend.

    R_J
  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    That's true: although button on "Forgot password" link reads "Request a new password", it only sends a link to reset password


  • peregrineperegrine MVP
    edited June 2014

    password theoretically can not be changed. but an email is still sent to the user when a spammer fakes a username on forgot password., it still sends an e-mail I believe and can flood the users inbox.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • What someone could do is spoof the email or some other story, in the hope that the genuine user will bee foolish to enough put the existing password in. However that is just phishing, you have no control over that.

    This particular thing maybe an annoyance, but highlight someone is trying it on. it doesn't stop some logging in normally.

    grep is your friend.

  • hgtonighthgtonight ∞ · New Moderator

    Flooding inboxes, while annoying, gives away that someone is doing it.

    Assuming it is a vindictive community member, access logs will help determine who it is.

    Is the request password function rate limited?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • AnonymooseAnonymoose ✭✭
    edited June 2014

    @R_J said:
    That's true: although button on "Forgot password" link reads "Request a new password", it only sends a link to reset password

    Good to know. I thought it actually resets the password and send an email with the new one.

    It is still an annoyance to get these password reset emails that others request. Emails are hidden, but usernames are not hidden from guests. The chance of guessing an email is low, and this problem of malicious password reset emails can be eliminated by making it emails only.

    @hgtonight said:
    Flooding inboxes, while annoying, gives away that someone is doing it.
    Assuming it is a vindictive community member, access logs will help determine who it is.

    Yes, but it can be someone who is no longer, or never was, part of the community.

  • LincLinc Director of Development Detroit Vanilla Staff

    If you have 12 email addresses like me and can't remember which one you used on that forum, suddenly requiring the email isn't so cool.

    I don't see what gain someone could get from programming a bot to send you spurious request emails so it seems like a weird problem not worth changing the software for.

  • @Linc said:
    I don't see what gain someone could get from programming a bot to send you spurious request emails so it seems like a weird problem not worth changing the software for.

    They gain 'lolz' from being annoying.

    peregrine
  • @Anonymoose said:
    They gain 'lolz' from being annoying.

    lolz

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    Anonymoose
  • There is a whole culture of people on the internet that do things with no apparent purpose other than get excited from the fact that they are annoying others. In such an environment, hardening software to limit points of exposure to malicious users while at the same time making it usable to intended categories of users is necessary.

  • peregrineperegrine MVP
    edited July 2014

    @Anonymoose said:
    There is a whole culture of people on the internet that do things with no apparent purpose other than get excited from the fact that they are annoying others. In such an environment, hardening software to limit points of exposure to malicious users while at the same time making it usable to intended categories of users is necessary.

    I haven't tested if it affects other areas of signing in. but if its worth it to you, you could experiment.

    comment out this line

    https://github.com/vanilla/vanilla/blob/2.1/applications/dashboard/models/class.usermodel.php#L3180

    or write a plugin that gets called after $this->FireEvent('BeforePasswordRequest'); and create a new view as well.

    that re-checks only user e-mail only if you want.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    Anonymoose
  • AnonymooseAnonymoose ✭✭
    edited July 2014

    Interesting that this topic has been brought up in the past, and ignored.

    @orlick said:
    I'm running into a pretty serious problem on my forum right now where people have automated asking for a password reset and are firing off hundreds of password reset requests to everyone on the board. Has anyone else run into this problem? I think the best solution is to require the user to enter their email in order to get a password reset since that is private information. I am going to work on patching Vanilla today (or try to add an extension for this if possible)

    http://vanillaforums.org/discussion/8055/password-reset-spam-bug

    hgtonightUnderDog
  • LincLinc Director of Development Detroit Vanilla Staff

    Coming back a week later to bump this with a link to a post 6 years ago about Vanilla 1 to imply you're being "ignored" makes it sound like you want to frame us as negligent for not agreeing to / prioritizing the thing you want. If you'd like it changed, file an issue and send a pull request with an explanation. Or write a plugin.

    I'm not into it, so I'm not going to add that to my insane pile of work to do. That doesn't mean I'm denying it entrance to core or something.

    hgtonightUnderDog
Sign In or Register to comment.