MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Security Vulnerability?
Full Version: Security Vulnerability?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

TheWiz

2013-05-25, 01:14 AM
MyBB Community,

I received an email today confirming that I wanted to do a password reset on the administrators account. Obviously I did not initiate this activity and fortunately they didn't get the reset code. What is a common source of vulnerability where a remote user could initiate a reset code request?

Thank you,
TheWiz

Nathan Malcolm

2013-05-25, 01:50 AM
This is not a vulnerability. Essentially, it's an email sent by the server saying "Hey, someone tried to reset the password for this account.". The only issue there would be is if someone gained access to your email account, in which case you're pretty much screwed anyway.

It's the same for most web applications. You enter the email address, the server sends an email, you as the owner of the account choose what to do. Didn't initiate the request? Ignore it. Perhaps change the email address of your forum account to something only you know (the person who made the request needs to know your email address in the first place) so it doesn't happen again.

Once again, there is no vulnerability. Smile

SirGravzy

2013-05-25, 03:18 AM
A good idea would also be make sure the front end doesn't tell the user which email address the recovery email was sent to.

Nathan Malcolm

2013-05-25, 03:23 AM
(2013-05-25, 03:18 AM)SirGravzy Wrote: [ -> ]A good idea would also be make sure the front end doesn't tell the user which email address the recovery email was sent to.

You have to know the email address in the first place. You can't reset a password without knowing the email address of the account, and as I mentioned if they have access to your email account then you probably have other things to worry about.

Wildcard

2013-05-25, 03:31 AM
Yeah it would be a cool move to re-title the thread too Wink

That is expected behavior.

Stefan C.

2013-05-25, 01:24 PM
(2013-05-25, 03:18 AM)SirGravzy Wrote: [ -> ]A good idea would also be make sure the front end doesn't tell the user which email address the recovery email was sent to.

That doesn't even make sense.. To request a password request YOU have to enter the email address of the account. I don't see what you are getting at here.

ikhwanulfikri

2013-05-26, 02:55 AM
thread title is very interesting.

If you do not have to reset the password and suddenly there is a notice in the mail just ignore it.

because it will not reset your password as long as you do not do Klick on the email submission.

Big Grin
The only work of naughty children who had pulled his ears, until "they realize this is just ridiculous action"
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Security Vulnerability?