Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

security issue with password request email

I have a question on the "Forgot your password?" request, on our forum. When a username is typed into the request, the response displays the user's email address. As in; "A message has been sent to actual email address containing password reset instructions."

This is obviously a security issue, since anyone can view others' email addresses this way. How can I change this? Thanks.


  • I think you'll find that only happens if the user has their email address set to be shown anyway...?
  • Well, I just tested it here with my own. I set my email address to be shown, and then requested my password to be sent to me. The message I got said it would be sent to my domain email account, but it didn't show the whole email address like it does on our forum.

    So I'd like to set it on ours to do the same thing as it does here, if possible?

  • Which version of vanilla are you running? Methinks not 1.1.2?
  • You're right; 1.0.3.
  • MarkMark Vanilla Staff
    It doesn't show the whole email address. It only shows the domain name. As in:

    "An email has been sent to your email address"

    Just a little visual cue for those people who have a lot of different email addresses.
  • Well, that's what I want it to do. But on our forum, it shows the entire actual address.
  • MarkMark Vanilla Staff
  • Do I hear you saying that's the solution? :)
  • Yeah. There's an addon created to do a similar job for 1.0.3 but it's never advisable to run on outdated software unless you have a damn good reason too. As I remember it there's a pretty big security bug fixed between 1.0.3 and 1.1.2...
  • I appreciate your help. Thank you!
  • If I wanted to edit out the server address (shown in red on the page after the e-mail reset form) for added security, is that do-able? If so then where please?
  • Add this to your conf/language.php file, on a new line before the ?> at the bottom:$Context->Dictionary['MessageSentToXContainingPasswordInstructions'] = 'A message has been sent to your registered email address containing password reset instructions.';
  • edited January 2008
    That has fixed it. thanks Wallphone. If I also wanted to add a link back to the discussions page could I just add this to the end of the line given above?

    <li><a href="'.GetUrl($this->Context->Configuration, 'index.php').'">Go back to discussions</a></li>
  • edited January 2008
    That should work.

    You may need to take the this-> out of the middle.
This discussion has been closed.