Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10325

Ability to disable the "I forgot my password" feature

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0-dev
    • Fix Version/s: 3.1.0-a1
    • Component/s: None
    • Labels:
      None

      Description

      When phpBB is running on a webserver using SSL, the "I forgot my password" uses email (or XMPP) to send out a new password. Since email is generally unencrypted and other attacks such as faking the DNS reply for the MX record request are possible, it presents a weakness.

      I suggest adding a switch to disable this feature completely.

        Attachments

          Activity

            People

            • Assignee:
              dhruv.goel92 Dhruv Goel
              Reporter:
              bantu Andreas Fischer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: