Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-12068

forgot_password.php Page can be used to flood other users with password change e-mails.

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Trivial Trivial
    • 1.9
    • 1.8.3
    • Authentication
    • None
    • N/A
    • MOODLE_18_STABLE
    • MOODLE_19_STABLE

      When e-mail auth method is disabled www.domain.com/login/forgot_password.php should also be disabled to prevent mischievous users abusing it and flooding other users with password change e-mails.

      There should also be something in the code that limits the number of e-mails sent to a specific e-mail address in a given time frame (if this is even possible?!).

      I've removed the page from our site to stop this happening, but this isn't the most elegant fix.

      Any ideas?

      Thanks,

      Marty

            skodak Petr Skoda
            martyjacobs Marty (Inactive)
            Nicolas Martignoni Nicolas Martignoni
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.