Reset Password is vulnerable

Jamie · 05-18-2017, 09:46 PM

The reset password form is easily vulnerable with the reset password link, people can run a script to spam random numbers as the vericode in the URL and once they get the correct one can change someone elses password, is there a way to have vericode only work when someone requests reset password and it'll only be valid for around 15 minutes, along with making it an actual secure phrase instead of a verification number.

**Brandin** · 05-25-2017, 05:39 PM

You could always change one of the custom fields in the DB to be a timestamp updated upon password reset, make a function for this and call the function to verify the timestamp as well as the vericode.

faguss · 06-19-2017, 11:25 PM

Change field "custom1" in "users" table to timestamp with default value of 0 and no attributes.
Replace a bunch of files

**mudmin** · 06-20-2017, 11:21 AM

I'm adding this to the list. I have 5 more weeks of camp and then I'm free to do more coding.

Thanks for the fix!

karsen · 07-10-2017, 07:15 PM

I've added this to my project and it works great! I had this modification on my to-do list but I've been able to cross it off. Thanks for the hard work, faguss!

Login




Remember me Lost Password?