Welcome, Guest. Please Login or Register.
November 26, 2024, 08:29:34 AM
Home Help Search Log in Register
News: SMF is the next generation in forum software, almost completely re-written from the ground up, make sure you don't fall for cheap imitations that suffer from feature bloat!

YaBB SE Community  |  General Category  |  Feedback  |  Serious Flaw « previous next »
Pages: [1] Reply Ignore Print
Author Topic: Serious Flaw  (Read 5885 times)
jimstone77
Noobie
*
Posts: 20


I'm a llama!

Serious Flaw
« on: May 03, 2003, 10:37:03 AM »
Reply with quote

I would likle to report a serious flaw in your "Forgot password" option. The problem is that any brain dead zombie can change anyone's password simply by placing their name in the form. Everyone on the forum then cannot log in until they check their mail and enter the new password. Then this zombie repeats this 3 or 4 times a day. Any unregistered moron can wreck havoc on anyone's system this way (from experience).

Now I fully understand why this is available, however the correct way to impliment it would be to not change the password of the registered users until they acknowledge in the yabbse sent e-mail that they requested the password change. As it stands now, the system changes it no matter what, and assumes no trouble-maker has done it.

Can this be changed/fixed soon?  Can you please make sure a fix is in the next release?

If not, besides deleting the "forgot password," any way to handle this until it's corrected? Thanks for any information, response, or help, and despite this message, I love my Yabbse. But this is causing me to pull out all my hair  :(

Maybe I should be a Beta Tester site?
Logged
twarren10
Noobie
*
Posts: 11


I'm a llama!

Re:Serious Flaw
« Reply #1 on: May 03, 2003, 11:04:18 AM »
Reply with quote

Wow! I just tried this on my forum and it really could be a problem. Especially for administrator names. Time for a mod.
Logged
Shoeb Omar
Disciple of Joe
YaBB God
*****
Posts: 1420


The shrub demands war. I don't. The world doesn't.

ICQ - 69234983clickopedia@hotmail.com WWW
Re:Serious Flaw
« Reply #2 on: May 03, 2003, 04:21:04 PM »
Reply with quote

hehe.. that's a really good flaw  ;D

I think it may even affect the other yabb...
Logged

"If we all practice an eye for an eye, pretty soon the whole world will be blind" - Gandhi

We need to start listening to advocates of peace in oder to advance society. We have not grown from the prehistoric barbarians we once were.  Will society ever mature?
Douglas
aka The Bear
Support Team
YaBB God
*****
Posts: 1050


Bears rule! Llamas rule too!

WWW
Re:Serious Flaw
« Reply #3 on: May 03, 2003, 04:57:03 PM »
Reply with quote

This should be moved to the Mods board.  What we could do is take full advantage of the Secret Question and Answer features.

"Type in your Username or Email address".  Submit that information, which takes them to the Secret Question screen.  If they answer correctly, then the email will get generated and sent out with the new password.

This is, of course, dependent on the Secret Question and Answer being filled in.

Would be a good mod.
Logged

Need help? Please SEARCH first.  No need for a bad attitude, we like helping positive minded people.
ComeHit.us Short URL  redirection svcs with YSE powered forums, COMING SOON!
Want to say thanks?  Check out http://comehit.us/?u=3
David
Destroyer Dave
Global Moderator
YaBB God
*****
Posts: 5761


I'm not a llama!

WWW
Re:Serious Flaw
« Reply #4 on: May 03, 2003, 05:42:18 PM »
Reply with quote

Yes, this is a problem.  It will be fixed in version 2.0 if not before hand.  Feel free to make a mod to fix it if you wish.
Logged

groundup
Disciple of Joe, Head Cleric
Mod Team
YaBB God
*****
Posts: 2983


Error 309: Please notify the administrator of this

WWW
Re:Serious Flaw
« Reply #5 on: May 04, 2003, 01:26:37 AM »
Reply with quote

wow, I thought everyone knew of that and just didnt care :-\
Logged

http://www.fastfinancialfreedom.org - financial freedom is a myth
http://www.fastfinancialfreedom.org - financial freedom is a myth
http://www.fastfinancialfreedom.org - financial freedom is a myth
fastfinancialfreedom.org
[Unknown]
Global Moderator
YaBB God
*****
Posts: 7830


ICQ - 179721867unknownbrackets@hotmail.com WWW
Re:Serious Flaw
« Reply #6 on: May 04, 2003, 12:58:08 PM »
Reply with quote

http://www.yabbse.org/community/index.php?board=158;action=display;threadid=22440

*cough*

-[Unknown]
Logged
twarren10
Noobie
*
Posts: 11


I'm a llama!

Re:Serious Flaw
« Reply #7 on: May 04, 2003, 03:07:53 PM »
Reply with quote

Quote from: Douglas on May 03, 2003, 04:57:03 PM
Secret Question and Answer features. "Type in your Username or Email address".  Submit that information, which takes them to the Secret Question screen.  If they answer correctly, then the email will get generated and sent out with the new password. This is, of course, dependent on the Secret Question and Answer being filled in.


Which of course 85 percent of the users don't bother to fill out. I wish they would.

Logged
Peter Duggan
Llama Chameleon
Global Moderator
YaBB God
*****
Posts: 1793


You come and go...

WWW
Re:Serious Flaw
« Reply #8 on: May 04, 2003, 03:38:30 PM »
Reply with quote

If you've filled out your secret question and answer, you can bypass the email altogether and change your password directly through the 'Forgot password?' link, which seems much more convenient.

As for the mod, please follow up Reply #6 here for a swift response from [Unknown] that could save your members a lot of hassle!
« Last Edit: May 04, 2003, 03:40:16 PM by Peter Duggan » Logged

I, Brian
Full Member
***
Posts: 238


It is coming...

WWW
Re:Serious Flaw
« Reply #9 on: May 17, 2003, 07:51:06 PM »
Reply with quote

Does this flaw still exist? Really t very surprising to see such a sloppy piece of design in a piece of software that otherwise is so nice.

This isn't an issue that should be addressed in a MOD - this is an issue that needs addressing in an update.


Logged

Ben_S
Disciple of Joe
Support Team
YaBB God
*****
Posts: 1586


I Love YaBB SE!

WWW
Re:Serious Flaw
« Reply #10 on: May 17, 2003, 07:54:28 PM »
Reply with quote

An update has not been released since the issue was pointed out, as 99% of forums probably dont suffer the issue (no annoying people requesting other peoples passwords),  then releasing a new version just for the one issue will probably just annoy people who want to stay current but dont want to reinstall all their mods again.
« Last Edit: May 17, 2003, 07:58:17 PM by Ben_S » Logged
I, Brian
Full Member
***
Posts: 238


It is coming...

WWW
Re:Serious Flaw
« Reply #11 on: May 17, 2003, 08:00:31 PM »
Reply with quote

It's only been known about recently, then?

Really, for the future upgrade, you could look at simply using the e-mail adderss as the identifier, rather than the user name. It would be the more logical choice...

Logged

Ben_S
Disciple of Joe
Support Team
YaBB God
*****
Posts: 1586


I Love YaBB SE!

WWW
Re:Serious Flaw
« Reply #12 on: May 17, 2003, 08:06:54 PM »
Reply with quote

noone has reported it as an issue till recently

the feature has been the same since at least yabb 1 golf beta 5 - my first dabble with yabb
Logged
Douglas
aka The Bear
Support Team
YaBB God
*****
Posts: 1050


Bears rule! Llamas rule too!

WWW
Re:Serious Flaw
« Reply #13 on: May 17, 2003, 08:15:11 PM »
Reply with quote

I know there are plans to enhance board security with future releases, but as Ben_S said, it's not a major enough of an issue to warrant a completely separate release.  It might even be addressed with the next release, however I cannot say that for certainty, as I am not on the Devel team.  No ETA for the next release either, so ya'll don't have to ask about that.  ::chuckles::
Logged

Need help? Please SEARCH first.  No need for a bad attitude, we like helping positive minded people.
ComeHit.us Short URL  redirection svcs with YSE powered forums, COMING SOON!
Want to say thanks?  Check out http://comehit.us/?u=3
Coyote
YaBB God
*****
Posts: 702


I love YaBB SE!

Re:Serious Flaw
« Reply #14 on: May 21, 2003, 08:00:22 AM »
Reply with quote

wouldnt it be a better idea to do an if admin || global then show forgot password link? and maybe have a couple of email address there so members could email to get a new password?

that way moderators could renew members passwords without having access to the members profile :)



Logged

To the world - you are just one person, but to one person you are the world!
Pages: [1] Reply Ignore Print 
YaBB SE Community  |  General Category  |  Feedback  |  Serious Flaw « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.092 seconds with 20 queries.