+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: Reset Password is vulnerable (/showthread.php?tid=564)
Reset Password is vulnerable - Jamie - 05-18-2017
The reset password form is easily vulnerable with the reset password link, people can run a script to spam random numbers as the vericode in the URL and once they get the correct one can change someone elses password, is there a way to have vericode only work when someone requests reset password and it'll only be valid for around 15 minutes, along with making it an actual secure phrase instead of a verification number.
Reset Password is vulnerable - Brandin - 05-25-2017
You could always change one of the custom fields in the DB to be a timestamp updated upon password reset, make a function for this and call the function to verify the timestamp as well as the vericode.
Reset Password is vulnerable - faguss - 06-19-2017
- Change field "custom1" in "users" table to timestamp with default value of 0 and no attributes.
- Replace a bunch of files
Reset Password is vulnerable - mudmin - 06-20-2017
I'm adding this to the list. I have 5 more weeks of camp and then I'm free to do more coding.
Thanks for the fix!
Reset Password is vulnerable - karsen - 07-10-2017
I've added this to my project and it works great! I had this modification on my to-do list but I've been able to cross it off. Thanks for the hard work, faguss!