[drupal-devel] [feature] Don't reset existing password on request,
prevent DoS password reset abuse
brlcad
drupal-devel at drupal.org
Mon Feb 7 01:54:44 UTC 2005
Project: Drupal
Version: 4.5.2
Component: user system
Category: feature requests
Priority: critical
Assigned to: Anonymous
Reported by: brlcad
Updated by: brlcad
Status: patch
Attachment: http://drupal.org/files/issues/pass_alt.diff (6.12 KB)
This patch adds a field to the user table for storing an alternate
password. When a password request is made, the alternate password is
set instead of clobbering the existing password. This allows the user
to discard the regenerated password e-mail, preserving the existing
password.
This also prevents abuse whereby any anonymous user can repeatedly
reset user passwords potentially entirely blocking access to a site,
e.g. a curl shell script that repeatedly posts a password reset request
for all accounts.
Iff the alternate password is used for authentication, the alternate
password becomes the main password. If the main password is set (e.g.
admin user form), the alternate password is unset.
The patch was made against DRUPAL-4-5-2.
Cheers!
Sean
brlcad
--
View: http://drupal.org/node/16909
Edit: http://drupal.org/project/comments/add/16909
More information about the drupal-devel
mailing list