Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Password reset requests

I've been getting multiple requests for password resets that were not initiated by me. Other administrators of the site have been getting the same. Obviously, we have not been clicking the link to initiate the reset, however, it seems that this is security breach. The request looks like this: ================== A request has been made to reset your password for MY WEBSITE URL. You can reset your password by copying and pasting the following URL into the location bar of your web browser: http://www.mywebsite.com/people.php?PostBackAction=PasswordResetForm&u= If you did not make this request, please disregard this email and your password will remain unchanged. ================= Any ideas on how this could be happening? My email is set to private, and so is the email of the other admins.

Comments

  • I guess I answered my own question. You don't need the user email to do a password reset, all you need is their user name. This is unfortunate. The request for a password reset should be initiated by an email address, not user name, as one cannot hide their user name. Any suggestions on how to change this?
  • It's not a secruity breach--anybody can do that. Someone is probably probing this functionality for something like a reminder that would make a password easier to guess.

    Look in your access log for mywebsite.com/people.php?PostBackAction=PasswordRequestForm. Match up those entries with the times the emails were sent, and you will have the IP address of your jokester. Alternatively, an extension can be written to log this information.


    Oh, and I would clear out at least part of the string following the &K= on that URL you posted--if someone were to guess where your forum is, (and that key hasin't been overwritten yet) they would be able to reset your password.
  • /library/people/People.Class.UserManager.php, inside the RequestPasswordReset function, (about half way down the file) change in the line $s->AddWhere() 'Name' to 'Email'.

    The reset form will still ask for 'Username' ... not sure how to change that without changing it to read 'email' on the main login forn... hmm...
  • Those with email addresses public would still be vulnerable to this abuse...
This discussion has been closed.