MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Change Failed Login Report
Full Version: Change Failed Login Report
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Galen

2007-01-21, 09:08 AM
The report of a failed login into the AdminCP should NEVER be sent over e-mail. E-mail is easy for anybody to read. I can recall making a type-o in my username and then getting an e-mail about it and I'm like "Gee, thanks MyBB, for broadcasting my admin password in plain text for the whole world to see..."

This should definately be changed, it is a security risk. For the immediate future, how can I disabled this "feature?"

Dennis Tsang

2007-01-22, 11:40 PM
You can comment the mail() line out in admin/global.php.

In one sense it's also a security feature if someone tries to do a SQL injection, you can report it to the MyBB group for further investigation.

Perhaps the failed logins can be 'logged' to the database and a notification be sent out instead.

Galen

2007-01-23, 12:49 AM
Yeah, that was what I was thinking. Maybe it should be logged in the same way that reported posts are logged.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Change Failed Login Report