Closed (won't fix)
Project:
Drupal core
Version:
4.6.3
Component:
user.module
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
13 Nov 2005 at 14:21 UTC
Updated:
29 Dec 2005 at 14:49 UTC
This is regarding http://drupal.org/node/18719
Version: 4.6.0
Has that patch been applied to the 4.6.x branch? I can't find it in 4.6.3. Does "Version" mean the version the bug was reported against, or where it has been fixed, or something else?
Without this patch it seems that an attacker could launch a "denial of service" attack against a drupal site by requesting a password reset for every user on the site.
- The attacked users would not be able to log in between the time of the password reset and the time their email arrived. In some cases, this might be a long time.
- The attacker could repeat the password reset requests as many times as desired
Thus, since this seems like a reasonably annoying security issue, I'd like to request that the patch be backported to the 4.6.x branch.
Comments
Comment #1
killes@www.drop.org commentedWe don't backport new features.