Feature #16485
closed
Security enhancement
0%
Description
As it is now, I could enter a random (valid) email address and an email would go out to the owner, telling him the email isn't known by the system.
If I thought that was funny, I could do it again. At some point, this might get the mail server blacklisted.
If I happened to use an email address know by the system, the same thing would happen, just a different type of email being sent.
How about some configuration options, giving the site owner the ability to allow/ disallow the sending of emails in the case where the email is unknown to the system and introduce some simple measure (Pets name!) to avoid randoms to spam an email address known by the system?
(issue imported from #M4088)
Files
Updated by Andreas Wolf about 18 years ago
I would say yes to your first proposal - sending e-mail without explicit permission of the recipient can easily cause big trouble, at least here in Germany.
Your second idea is also worth a thought, but I would perhaps say to even go a bit further: Why not make it optional to have this question as your second password? Ok, it could lead to security problems because your mother's maiden name oder your pet's name is usually far more likely to be known by people than the password of your e-mail-account (to fetch the password from the mail). But perhaps some people want it like that, and why not give it to them?
Updated by Torkil Svensgaard about 18 years ago
The more options the better =)
In some scenarios, like a secure intranet, you wouldn't want to have to bother with additional security but it is quite important to have the ability to turn it off.
Updated by Harp over 17 years ago
I´m having the same problem ... is there a solution by now?
Updated by Harp over 17 years ago
Sorry to post again: Is there an update/fixing in progress or should i just take another loginbox-extension?
Updated by Stefan Strasser over 17 years ago
At the moment there is no fix for this in progress. After other work-in-progress is integrated I'll care about this. If you like to quicken the process, you may contribute a fix for this...
Updated by Administrator Admin about 17 years ago
File newloginbox_pi1.tar.bz2 (based on version 3.1.0) contains a patch which will fix this problem.
Translation for English and German added (forgot_password_notfound).
Translation forgot_password_no_pswmsg can be removed if no longer used.
If the email is not found, a message will be display instead of sending a email.
Updated by Xavier Perseguers about 13 years ago
- Status changed from Accepted to Needs Feedback
- Assignee deleted (
Steffen Kamper) - Target version deleted (
0) - TYPO3 Version set to 4.2
Still valid?
Updated by Jigal van Hemert almost 13 years ago
- Status changed from Needs Feedback to Closed
In the current felogin plugin an email will only be sent if the address is known to the system. No clue is given whether the mail address is known or not.