[PHPBB3-10325] Ability to disable the "I forgot my password" feature

XML

Word

Printable

Details

Type: Improvement
Status: Unverified Fix (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0-dev
Fix Version/s: 3.1.0-a1
Component/s: None
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb3/pull/1209

Description

When phpBB is running on a webserver using SSL, the "I forgot my password" uses email (or XMPP) to send out a new password. Since email is generally unencrypted and other attacks such as faking the DNS reply for the MX record request are possible, it presents a weakness.

I suggest adding a switch to disable this feature completely.

Attachments

Activity

People

Assignee:: Dhruv Goel [X] (Inactive)

Reporter:: Andreas Fischer [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Aug/11 2:55 PM

Updated:: 08/May/13 1:51 PM

Resolved:: 08/May/13 1:51 PM