1
Shiva
Passwords request - security issue
  • 2009/3/28 10:19

  • Shiva

  • Quite a regular

  • Posts: 280

  • Since: 2006/7/9 1


A few of my clients and including myself have received a "lost password email":

A web user from 66.249.65.178 has just requested a new password for your account at <sitename>.
You can get your new password by clicking on the link below:

<link>

No one is requesting passwords so could this be a security risk? Has anyone else experienced this?

Thanks!

2
ghia
Re: Passwords request - security issue
  • 2009/3/28 10:33

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


It means someone has filled in the request new password dialog with the email of persons, that have their address listed in content or profile.
Normally it should not be security risk. I think that dialog is sufficient protected to not allow inductions of other addresses, which could lead to have the hacker access to the activation link for the new password. And even if that was possible the new password will be only sent out to the registered users email address.
If you would receive such messages with a new password in, then you should start worrying and place an alert here.

3
Shiva
Re: Passwords request - security issue
  • 2009/3/28 10:56

  • Shiva

  • Quite a regular

  • Posts: 280

  • Since: 2006/7/9 1


ok, thanks for the reply.

I still find it strange tho because this persons email address is not showing anywhere on the site. And the other thing is why would someong do this? Or could it be a bot?

4
Mikhail
Re: Passwords request - security issue
  • 2009/3/28 12:41

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19


Quote:

Shiva wrote:

A web user from 66.249.65.178 has just requested a new password


66.249.65.178 = Google.

5
Shiva
Re: Passwords request - security issue
  • 2009/3/28 13:02

  • Shiva

  • Quite a regular

  • Posts: 280

  • Since: 2006/7/9 1


Wow - interesting. thanks for that. Does anyone know why/google might be causing this?

I suppose this something that should fixed from robots.txt. I have not put in:
Disallow: /modules/profile/user.php

But surprised that no one else has got the same issues.

6
ghia
Re: Passwords request - security issue
  • 2009/3/28 13:17

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1



No, Google itself does not do that.
Besides you have to provide a valid email address in order to indentify the user and activate the sending for the email with the request. Google would not combine such things.
It might happen if on your site exists a link for it (with the fields filled in), which is not standard. But for working with such a link the function should allow to be called by GET, while it should only react on POST (to be verified in the core).
Another way is that someone is abusing a proxy or hacked a server from Google to get access to sites from out an unsuspected net or emulate that IP address for it.

7
Mikhail
Re: Passwords request - security issue
  • 2009/3/28 14:10

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19


Quote:

ghia wrote:

No, Google itself does not do that.



Maybe someone using Google to make a password request. For example, a Google proxy for translations or WAP access. The module Protector handle Google differently?

I'm just imagining some possibilities.

8
Shiva
Re: Passwords request - security issue
  • 2009/3/28 16:58

  • Shiva

  • Quite a regular

  • Posts: 280

  • Since: 2006/7/9 1


So by putting this in robots.txt: 'Disallow: /modules/profile/user.php' will not resolve anything.

But is this happening to anyone else? If not why does this happen only occasionally but on quite a few of my sites?

9
ghia
Re: Passwords request - security issue
  • 2009/3/28 17:47

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Maybe someone using Google to make a password request. For example, a Google proxy for translations or WAP access.
That should be a normal use from it. But I don't think the user should be surprised to get an email for the password change then.

AFAIK this is not encountered before.
Can you retrieve IP numbers of previous cases? Was it with the same user? Is he aware of the fact that you get an email by filling the form at the forgot password link?

10
Mikhail
Re: Passwords request - security issue
  • 2009/3/28 20:20

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19


Quote:
Quote:
Mikhail Miguel wrote: Maybe someone using Google to make a password request.
For example, a Google proxy for translations or WAP access.
The module Protector handle Google differently?
I'm just imagining some possibilities.
Ghia wrote: That should be a normal use from it. But I don't think the user should be surprised to get an email for the password change then.

AFAIK this is not encountered before.
Can you retrieve IP numbers of previous cases? Was it with the same user? Is he aware of the fact that you get an email by filling the form at the forgot password link?


Hi!

I don't know,... Google generally has free access to sites (is not blocked by .htaccess and scripts for protection); so... I mean the possibility of taking advantage about this free access using the Google's proxies to make uncommon use of the site. Sure, this is not a specific problem related about XOOPS (I think that mainly happens with .htaccess)... Anyway, I'm still curious 'if' and 'how' Protector handle Google and others BOTS differently... and how it detects if is really a Bot (check not only the User Agent and IP Range but if the referrer is blank, for example, is a good start)... But is just a brainstorm...

Login

Who's Online

167 user(s) are online (94 user(s) are browsing Support Forums)


Members: 0


Guests: 167


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits