[#CONF-3345] Password Reminder will change password even though the email was not send

Confluence

Password Reminder will change password even though the email was not send

Created: 02/Jun/05 02:05 AM Updated: 01/May/07 01:32 AM

Component/s:

None

Affects Version/s:

1.4

Fix Version/s:

2.5.1

Time Tracking:

Not Specified

Participants:	Charles Miller [old account, do not assign issues], Jeff Leigh and Jens Schumacher [Atlassian]
Since last comment:	1 year, 23 weeks, 4 days ago
Resolution Date:	01/May/07 01:32 AM
Labels:

Description

« Hide

The password reminder will create a new password and send it to the given user via email.

But if the system can not send the email for some reason, it will still change the password. Therefore the user won't be able to log in anymore.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Jeff Leigh added a comment - 10/Aug/06 03:06 PM

I just encountered this issue today with version 2.2.7.

Becasue I didn't have any SMTP servers listed, I was curious what Confluence would do if someone forgot their password. I logged out, and foolishly typed in the admin's username.

Even without any STMP servers, confluence immediately changed the admin password, and I was off hacking the database to restore a known password hash.

What is distrubing, is that really anyone could put anyone's name into the 'forgot password' page to lock them out. Unfortunately also,users have no way of knowing that no password was actually sent (it says an email was sent to them), and the admins have no way of knowing until a few days later when they ask where their email is.

In the meantime, I think I'll create a secondary admin account until I have an stmp server running.

[ Permlink | « Hide ]

Charles Miller [old account, do not assign issues] added a comment - 01/May/07 01:32 AM

Password retrieval will now fail if no mailserver configured.