Serious Flaw

[jimstone77]

I would likle to report a serious flaw in your "Forgot password" option. The problem is that any brain dead zombie can change anyone's password simply by placing their name in the form. Everyone on the forum then cannot log in until they check their mail and enter the new password. Then this zombie repeats this 3 or 4 times a day. Any unregistered moron can wreck havoc on anyone's system this way (from experience).

Now I fully understand why this is available, however the correct way to impliment it would be to not change the password of the registered users until they acknowledge in the yabbse sent e-mail that they requested the password change. As it stands now, the system changes it no matter what, and assumes no trouble-maker has done it.

Can this be changed/fixed soon?  Can you please make sure a fix is in the next release?

If not, besides deleting the "forgot password," any way to handle this until it's corrected? Thanks for any information, response, or help, and despite this message, I love my Yabbse. But this is causing me to pull out all my hair  

Maybe I should be a Beta Tester site?

[twarren10]

Wow! I just tried this on my forum and it really could be a problem. Especially for administrator names. Time for a mod.

[Shoeb Omar]

hehe.. that's a really good flaw  

I think it may even affect the other yabb...

[Douglas]

This should be moved to the Mods board.  What we could do is take full advantage of the Secret Question and Answer features.

"Type in your Username or Email address".  Submit that information, which takes them to the Secret Question screen.  If they answer correctly, then the email will get generated and sent out with the new password.

This is, of course, dependent on the Secret Question and Answer being filled in.

Would be a good mod.

[David]

Yes, this is a problem.  It will be fixed in version 2.0 if not before hand.  Feel free to make a mod to fix it if you wish.

[groundup]

wow, I thought everyone knew of that and just didnt care

[[Unknown]]

http://www.yabbse.org/community/index.php?board=158;action=display;threadid=22440

*cough*

-[Unknown]

[twarren10]

Secret Question and Answer features. "Type in your Username or Email address".  Submit that information, which takes them to the Secret Question screen.  If they answer correctly, then the email will get generated and sent out with the new password. This is, of course, dependent on the Secret Question and Answer being filled in.

Which of course 85 percent of the users don't bother to fill out. I wish they would.

[Peter Duggan]

If you've filled out your secret question and answer, you can bypass the email altogether and change your password directly through the 'Forgot password?' link, which seems much more convenient.

As for the mod, please follow up Reply #6 here for a swift response from [Unknown] that could save your members a lot of hassle!

[I, Brian]

Does this flaw still exist? Really t very surprising to see such a sloppy piece of design in a piece of software that otherwise is so nice.

This isn't an issue that should be addressed in a MOD - this is an issue that needs addressing in an update.

[Ben_S]

An update has not been released since the issue was pointed out, as 99% of forums probably dont suffer the issue (no annoying people requesting other peoples passwords),  then releasing a new version just for the one issue will probably just annoy people who want to stay current but dont want to reinstall all their mods again.

[I, Brian]

It's only been known about recently, then?

Really, for the future upgrade, you could look at simply using the e-mail adderss as the identifier, rather than the user name. It would be the more logical choice...

[Ben_S]

noone has reported it as an issue till recently

the feature has been the same since at least yabb 1 golf beta 5 - my first dabble with yabb

[Douglas]

I know there are plans to enhance board security with future releases, but as Ben_S said, it's not a major enough of an issue to warrant a completely separate release.  It might even be addressed with the next release, however I cannot say that for certainty, as I am not on the Devel team.  No ETA for the next release either, so ya'll don't have to ask about that.  ::chuckles::

[Coyote]

wouldnt it be a better idea to do an if admin || global then show forgot password link? and maybe have a couple of email address there so members could email to get a new password?

that way moderators could renew members passwords without having access to the members profile