The following warnings occurred:

Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux) File Line Function /global.php(961) : eval()'d code 26 errorHandler->error /global.php 961 eval /printthread.php 16 require_once

Reset Password is vulnerable - Printable Version +- UserSpice (https://userspice.com/forums) +-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23) +--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26) +--- Thread: Reset Password is vulnerable (/showthread.php?tid=564)

Reset Password is vulnerable - Jamie - 05-18-2017 The reset password form is easily vulnerable with the reset password link, people can run a script to spam random numbers as the vericode in the URL and once they get the correct one can change someone elses password, is there a way to have vericode only work when someone requests reset password and it'll only be valid for around 15 minutes, along with making it an actual secure phrase instead of a verification number. Reset Password is vulnerable - Brandin - 05-25-2017 You could always change one of the custom fields in the DB to be a timestamp updated upon password reset, make a function for this and call the function to verify the timestamp as well as the vericode. Reset Password is vulnerable - faguss - 06-19-2017 Change field "custom1" in "users" table to timestamp with default value of 0 and no attributes. Replace a bunch of files Reset Password is vulnerable - mudmin - 06-20-2017 I'm adding this to the list. I have 5 more weeks of camp and then I'm free to do more coding. Thanks for the fix! Reset Password is vulnerable - karsen - 07-10-2017 I've added this to my project and it works great! I had this modification on my to-do list but I've been able to cross it off. Thanks for the hard work, faguss!