Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10325

Ability to disable the "I forgot my password" feature

    XMLWordPrintable

Details

    • Improvement
    • Status: Unverified Fix (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.1.0-dev
    • 3.1.0-a1
    • None
    • None

    Description

      When phpBB is running on a webserver using SSL, the "I forgot my password" uses email (or XMPP) to send out a new password. Since email is generally unencrypted and other attacks such as faking the DNS reply for the MX record request are possible, it presents a weakness.

      I suggest adding a switch to disable this feature completely.

      Attachments

        Activity

          People

            dhruv.goel92 Dhruv Goel [X] (Inactive)
            bantu Andreas Fischer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: