Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

security issue with password request email

Sarah at ImagekindSarah at Imagekind
edited January 2008 in Vanilla 1.0 Help
I have a question on the "Forgot your password?" request, on our forum. When a username is typed into the request, the response displays the user's email address. As in; "A message has been sent to actual email address containing password reset instructions."

This is obviously a security issue, since anyone can view others' email addresses this way. How can I change this? Thanks.

Comments

  • Options
    MinisweeperMinisweeper New
    I think you'll find that only happens if the user has their email address set to be shown anyway...?
  • Options
    Sarah at ImagekindSarah at Imagekind
    Well, I just tested it here with my own. I set my email address to be shown, and then requested my password to be sent to me. The message I got said it would be sent to my domain email account, but it didn't show the whole email address like it does on our forum.

    So I'd like to set it on ours to do the same thing as it does here, if possible?

  • Options
    MinisweeperMinisweeper New
    Which version of vanilla are you running? Methinks not 1.1.2?
  • Options
    Sarah at ImagekindSarah at Imagekind
    You're right; 1.0.3.
  • Options
    MarkMark Vanilla Staff
    It doesn't show the whole email address. It only shows the domain name. As in:

    "An email has been sent to your hotmail.com email address"

    Just a little visual cue for those people who have a lot of different email addresses.
  • Options
    Sarah at ImagekindSarah at Imagekind
    Well, that's what I want it to do. But on our forum, it shows the entire actual address.
  • Options
    MarkMark Vanilla Staff
    Upgrade?
  • Options
    Sarah at ImagekindSarah at Imagekind
    Do I hear you saying that's the solution? :)
  • Options
    MinisweeperMinisweeper New
    Yeah. There's an addon created to do a similar job for 1.0.3 but it's never advisable to run on outdated software unless you have a damn good reason too. As I remember it there's a pretty big security bug fixed between 1.0.3 and 1.1.2...
  • Options
    Sarah at ImagekindSarah at Imagekind
    I appreciate your help. Thank you!
  • Options
    KeithKeith
    If I wanted to edit out the server address (shown in red on the page after the e-mail reset form) for added security, is that do-able? If so then where please?
  • Options
    WallPhoneWallPhone
    Add this to your conf/language.php file, on a new line before the ?> at the bottom:$Context->Dictionary['MessageSentToXContainingPasswordInstructions'] = 'A message has been sent to your registered email address containing password reset instructions.';
  • Options
    KeithKeith
    edited January 2008
    That has fixed it. thanks Wallphone. If I also wanted to add a link back to the discussions page could I just add this to the end of the line given above?

    <li><a href="'.GetUrl($this->Context->Configuration, 'index.php').'">Go back to discussions</a></li>
  • Options
    WallPhoneWallPhone
    edited January 2008
    That should work.

    You may need to take the this-> out of the middle.
This discussion has been closed.