[Vtigercrm-developers] ForgotPassword does not include the required information
Hamono, Chris (DPC)
Chris.Hamono at sa.gov.au
Tue Sep 2 02:23:06 GMT 2014
When a user is using self service to change their password the process fails
The problem is that two important fields are not being passed to the forgotpassword template and therefore not being sent to the forgotPassword action script
The two required fields are secret_hash and shorturl_id
Without the secret hash the function fails, without the shorturl id the shorturl table cannot be cleaned which is a security risk, short urls should also be timed out when appropriate such as in the case of password resets!
The scripts at the centre of this problem is ...
http://trac.vtiger.com/cgi-bin/trac.cgi/browser/vtigercrm/trunk/modules/Users/ForgotPassword.php?rev=14045
Severity: Showstopper!
I am about to implement an internal secure vtiger instance with hundreds of users. Such a system will cause major headaches if users cannot reset their passwords
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140902/4f87b78a/attachment.html>
More information about the vtigercrm-developers
mailing list