Not signed in (Sign In)

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Help keep Vanilla free:
Welcome Guest!
Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.

General Support & Troubleshooting: security issue with password request email

Bottom of Page

1 to 15 of 15

  1.  
  1.  # 1
    I have a question on the "Forgot your password?" request, on our forum. When a username is typed into the request, the response displays the user's email address. As in; "A message has been sent to actual email address containing password reset instructions."

    This is obviously a security issue, since anyone can view others' email addresses this way. How can I change this? Thanks.

  2.  # 2
    I think you'll find that only happens if the user has their email address set to be shown anyway...?
  3.  # 3
    Well, I just tested it here with my own. I set my email address to be shown, and then requested my password to be sent to me. The message I got said it would be sent to my domain email account, but it didn't show the whole email address like it does on our forum.

    So I'd like to set it on ours to do the same thing as it does here, if possible?

  4.  # 4
    Which version of vanilla are you running? Methinks not 1.1.2?
  5.  # 5
    You're right; 1.0.3.
    • CommentAuthorMark
    • CommentTimeAug 19th 2007
     # 6
    It doesn't show the whole email address. It only shows the domain name. As in:

    "An email has been sent to your hotmail.com email address"

    Just a little visual cue for those people who have a lot of different email addresses.
  7.  # 7
    Well, that's what I want it to do. But on our forum, it shows the entire actual address.
    • CommentAuthorMark
    • CommentTimeAug 19th 2007
     # 8
    Upgrade?
  9.  # 9
    Do I hear you saying that's the solution? :)
  10.  # 10
    Yeah. There's an addon created to do a similar job for 1.0.3 but it's never advisable to run on outdated software unless you have a damn good reason too. As I remember it there's a pretty big security bug fixed between 1.0.3 and 1.1.2...
  11.  # 11
    I appreciate your help. Thank you!
    • CommentAuthorKeith
    • CommentTimeJan 30th 2008
     # 12
    If I wanted to edit out the server address (shown in red on the page after the e-mail reset form) for added security, is that do-able?

    If so then where please?
    •  
      CommentAuthorWallPhone
    • CommentTimeJan 30th 2008
     # 13
    Add this to your conf/language.php file, on a new line before the ?> at the bottom:$Context->Dictionary['MessageSentToXContainingPasswordInstructions'] = 'A message has been sent to your registered email address containing password reset instructions.';
    • CommentAuthorKeith
    • CommentTimeJan 31st 2008 edited
     # 14
    That has fixed it. thanks Wallphone. If I also wanted to add a link back to the discussions page could I just add this to the end of the line given above?

    <li><a href="'.GetUrl($this->Context->Configuration, 'index.php').'">Go back to discussions</a></li>
    •  
      CommentAuthorWallPhone
    • CommentTimeJan 31st 2008 edited
     # 15
    That should work.

    You may need to take the this-> out of the middle.

1 to 15 of 15

  1.  
Add your comments
    Username Password
  • Format comments as
 
Back to Discussions Top of Page