We have a client who has had a security test carried out on their site and one of the defined medium risks was the fact that when a user requests 'Forgotten password' from site the supposedly temporary password is sent via unencrypted email, e.g. cleartext, and could be intercepted and used before the authorised user gets to login and update password. End result is a user locked out of their own account.
Will CB go down the road of sending a link to password change page in the way the Joomla 2.5 default does?
If not, is there any way to secure the email?
Regards
David
David
www.3cellhosting.com
- where personality, creativity and integrity come as standard.
Yes, we are implementing a password reset mechanism similar to Joomla 2.5 in upcomming CB 2.0. We will discuss if we should backport this to CB 1.9.
As a general rule, if you have any security-related items, even minor, please use the "Contact" link at bottom of any page for private reporting instead of posting in forum.
To my mind it was not really a security issue as the email from Joomla could also be intercepted and actioned but that is a one time use. Still the same ultimate risk.
After 1 week of server penetration tests they only came up with 6 medium risks and 8 low risks and 4 information points - 2 of the medium risks can be cured by client having SSL certificate installed. To me that is a great reason for using Joomla and reliable 3rd party extensions such as CB and CB subs.
Point taken about real security issues and use of 'contact us' rather than a forum board.
David
www.3cellhosting.com
- where personality, creativity and integrity come as standard.
beat
