I recall seeing some thread a while back where several folks were discussing the flaws with the password reset functionality. Basically the problem boils down to the fact that you can reset someone's password if you know their user name OR their email address. This clearly is open to abuse by trolls if your site displays user names of people that post there.

In this thread someone was talking about a patch that would address this by requiring you to confirm that you wanted to change your password in an email. If you didn't you could ignore the email, otherwise you could change it by clicking a link.

I tried looking around for this and could not for the life of me find it anywhere. Does anyone know the status of this patch or where I can find it if it is posted?

This is a big security problem we'll need to address with our site and any help would be greatly appreciated.

Comments

rbrooks00’s picture

Just wanted to bump this once to see if anyone knows anything about this. If not I'll continue digging around.

chx’s picture

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.