Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-12068

forgot_password.php Page can be used to flood other users with password change e-mails.

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 1.8.3
    • Fix Version/s: 1.9
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      N/A
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      When e-mail auth method is disabled www.domain.com/login/forgot_password.php should also be disabled to prevent mischievous users abusing it and flooding other users with password change e-mails.

      There should also be something in the code that limits the number of e-mails sent to a specific e-mail address in a given time frame (if this is even possible?!).

      I've removed the page from our site to stop this happening, but this isn't the most elegant fix.

      Any ideas?

      Thanks,

      Marty

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              skodak Petr Skoda
              Reporter:
              martyjacobs Marty
              Tester:
              Nicolas Martignoni
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                3/Mar/08