Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

security issue with password request email

Sarah at ImagekindSarah at Imagekind
edited January 2008 in Vanilla 1.0 Help
I have a question on the "Forgot your password?" request, on our forum. When a username is typed into the request, the response displays the user's email address. As in; "A message has been sent to actual email address containing password reset instructions."

This is obviously a security issue, since anyone can view others' email addresses this way. How can I change this? Thanks.

Comments

  • MinisweeperMinisweeper New
    I think you'll find that only happens if the user has their email address set to be shown anyway...?
  • Sarah at ImagekindSarah at Imagekind
    Well, I just tested it here with my own. I set my email address to be shown, and then requested my password to be sent to me. The message I got said it would be sent to my domain email account, but it didn't show the whole email address like it does on our forum.

    So I'd like to set it on ours to do the same thing as it does here, if possible?

  • MinisweeperMinisweeper New
    Which version of vanilla are you running? Methinks not 1.1.2?
  • Sarah at ImagekindSarah at Imagekind
    You're right; 1.0.3.
  • MarkMark Vanilla Staff
    It doesn't show the whole email address. It only shows the domain name. As in:

    "An email has been sent to your hotmail.com email address"

    Just a little visual cue for those people who have a lot of different email addresses.
  • Sarah at ImagekindSarah at Imagekind
    Well, that's what I want it to do. But on our forum, it shows the entire actual address.
  • MarkMark Vanilla Staff
    Upgrade?
  • Sarah at ImagekindSarah at Imagekind
    Do I hear you saying that's the solution? :)
  • MinisweeperMinisweeper New
    Yeah. There's an addon created to do a similar job for 1.0.3 but it's never advisable to run on outdated software unless you have a damn good reason too. As I remember it there's a pretty big security bug fixed between 1.0.3 and 1.1.2...
  • Sarah at ImagekindSarah at Imagekind
    I appreciate your help. Thank you!
  • KeithKeith
    If I wanted to edit out the server address (shown in red on the page after the e-mail reset form) for added security, is that do-able? If so then where please?
  • WallPhoneWallPhone
    Add this to your conf/language.php file, on a new line before the ?> at the bottom:$Context->Dictionary['MessageSentToXContainingPasswordInstructions'] = 'A message has been sent to your registered email address containing password reset instructions.';
  • KeithKeith
    edited January 2008
    That has fixed it. thanks Wallphone. If I also wanted to add a link back to the discussions page could I just add this to the end of the line given above?

    <li><a href="'.GetUrl($this->Context->Configuration, 'index.php').'">Go back to discussions</a></li>
  • WallPhoneWallPhone
    edited January 2008
    That should work.

    You may need to take the this-> out of the middle.
This discussion has been closed.