google-code-backups / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms
GNU General Public License v3.0
0 stars 0 forks source link

reset password is insecure #344

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
reset password functionality exposes users to denial of service.

Anyone can reset the password of a known user name.

We should add a challenge, security question.

OR

A 2 step reset procedure via email. Don't reset password until a tokenized link 
is visited via emailed link.

OR 

leave the current password working along with the reset password in case it was 
unintentional. This is kludgy though.

Original issue reported on code.google.com by tablatronics on 23 Jul 2012 at 2:46