Page Index Toggle Pages: [1] 2 
Topic Tools
Very Hot Topic (More than 25 Replies) [Critical]CAPTCHA, reset password/maintenance mode (Read 14,362 times)
MF-B
Development Team
****
Offline



Posts: 2,405
Location: Moscow, Russia

YaBB 2.4
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #26 - May 23rd, 2010 at 8:12am
Post Tools
Ok...

New LogInOut.pl in CVS
  

Stand!
Back to top
IP Logged
 
Captain John
Ex Member


Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #25 - May 22nd, 2010 at 3:54am
Post Tools
yep ... or editing admin.vars and replacing encrypted password with a plain text password works (one time).
  
Back to top
 
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #24 - May 21st, 2010 at 10:54pm
Post Tools
There's always the option of replacing the password hash stored in the user file with the default one  Cool
« Last Edit: May 21st, 2010 at 10:55pm by Matt Siegman »  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
MF-B
Development Team
****
Offline



Posts: 2,405
Location: Moscow, Russia

YaBB 2.4
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #23 - May 21st, 2010 at 9:42pm
Post Tools
Jet Li wrote on May 21st, 2010 at 8:15pm:
yes.

But... if stupid Admin set maintenance mode, log off from forum and not remember pass. What doing? Grin
« Last Edit: May 21st, 2010 at 9:43pm by MF-B »  

Stand!
Back to top
IP Logged
 
Jet Li
Legacy Dev Team
Development Team
****
Offline



Posts: 6,588
Location: Hong Kong
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #22 - May 21st, 2010 at 8:15pm
Post Tools
MF-B wrote on May 21st, 2010 at 7:39pm:
Need make disable Forgot password buton too?

yes.
« Last Edit: May 21st, 2010 at 8:30pm by Jet Li »  

PM me for YaBB Installation Service
Back to top
WWWGTalkFacebook  
IP Logged
 
MF-B
Development Team
****
Offline



Posts: 2,405
Location: Moscow, Russia

YaBB 2.4
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #21 - May 21st, 2010 at 7:39pm
Post Tools
Add disable Register button from Login area "If" Maintenance Mode

New LogInOut.pl in CVS


Need make disable Forgot password buton too?
« Last Edit: May 21st, 2010 at 7:41pm by MF-B »  

Stand!
Back to top
IP Logged
 
Captain John
Ex Member


Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #20 - May 9th, 2010 at 1:27am
Post Tools
Quote:
Will also need to remove Password Reset & Register buttons from Login area "If" Maintenance Mode.


above needs done yet
  
Back to top
 
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #19 - May 8th, 2010 at 9:43pm
Post Tools
This needs to done, shouldn't be too hard to make these changes.
  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
Captain John
Ex Member


Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #18 - Mar 30th, 2010 at 1:22am
Post Tools
Matt Siegman wrote on Mar 30th, 2010 at 1:20am:
we decide to disable password resets during maintenance mode

Corey Chapman wrote on Dec 31st, 2009 at 3:58pm:
I think we should not allow password resets.

and I totally agree ... (means we "undo" the change to allow it).

in YaBB.pl
Code
Select All
sub yymain {
  # Choose what to do based on the form action
  if ($maintenance) {
    if    ($action eq 'login2')    { require "$sourcedir/LogInOut.pl"; &Login2; }
    # Allow password reminders in case admins forgets their admin password
    elsif ($action eq 'reminder')  { require "$sourcedir/LogInOut.pl"; &Reminder; }
    elsif ($action eq 'validate')  { require "$sourcedir/Decoder.pl"; &convert; }
    elsif ($action eq 'reminder2') { require "$sourcedir/LogInOut.pl"; &Reminder2; }
    elsif ($action eq 'resetpass') { require "$sourcedir/LogInOut.pl"; &Reminder3; }

    if (!$iamadmin) { require "$sourcedir/LogInOut.pl"; &InMaintenance; }
  } 


Will also need to remove Password Reset & Register buttons from Login area "If" Maintenance Mode.

  When in Maintenance Mode, No registration nor password resets be allowed.
« Last Edit: Mar 30th, 2010 at 4:58am by »  
Back to top
 
IP Logged
 
Matt Siegman
YaBB Legends (Inactive)
*
Offline



Posts: 3,380
Location: Wichita, KS
Re: [Critical]CAPTCHA, reset password/maintenance mode
Reply #17 - Mar 30th, 2010 at 1:20am
Post Tools
What is the status on this? Did we decide to disable password resets during maintenance mode, or to fix the bug with resetting in maintenance mode?
  

-- Matt Siegman 8) Wish List
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,790
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: CAPTCHA, reset password, maintenance mode
Reply #16 - Jan 7th, 2010 at 7:00pm
Post Tools
I now agree with Corey's assessment. They can't do naything anyway, let them come back.

Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Corey Chapman
YaBB Administrator
*****
Offline



Posts: 10,015
Location: Rock Hill, South Carolina

None
Re: CAPTCHA, reset password, maintenance mode
Reply #15 - Dec 31st, 2009 at 3:58pm
Post Tools
Here's the way I see it.  There is only 1 reason to allow a password reset in maintenance mode, and in my opinion it is not a good one.

Admin "A" is already logged in, which allows him to turn the forum MM on.  He does not need to reset his password, of course.

If a non-admin cannot do anything on the forum while in MM, then even if they choose to reset their password (and click the link or not) they will not be able to complete the process or do anything else once it's reset (not even login).  So what's the point of allowing them?  If profile or log files were being maintained, there's a possibility this could screw that up.

If Admin "B" resets the password do we currently allow the emailed reset link to work?  An admin password reset would be the only reason to allow it, and it's pointless to me.  Admin "A" could manually change his password in his profile if he really needed to get in.

If we do allow the reset, then Admin "B" can now login (or already did if he didn't forget his password).  Yes, he can now do -anything- in the forum which can alter files, but it is most likely he will be cautious with this knowing what MM allows Admin "A" to do.  And if he forgot his password and we don't allow the reset, it's less likely he'll do something damaging since he can't even login.

I think we should not allow password resets.
« Last Edit: Dec 31st, 2009 at 4:00pm by Corey Chapman »  

Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,790
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: CAPTCHA, reset password, maintenance mode
Reply #14 - Dec 15th, 2009 at 12:53pm
Post Tools
I'll clarify what I meant -

No substantive files are affected, the operations on important YaBb files are read-only - other than  'forgotten.passes' - which is a disposable file.

I stick with my contention it poses no risks to allow password retrieval during maintenance as the end-user cannot act upon it until the fourm is out of maintenance

As for Admin collisions - hopefully the admins will be bright enough to contact each other and ask 'WT* are you doing?' before they cause any damage! - LOL. 

If they are both admins and don't have a back channel for communications like phone, IM or e-mail, then the forum has larger problems than 2 admins logged in during maintenance.

just my not-worth-so much-currently two cents.

Smiley
« Last Edit: Dec 15th, 2009 at 12:54pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Captain John
Ex Member


Re: CAPTCHA, reset password, maintenance mode
Reply #13 - Dec 14th, 2009 at 11:03pm
Post Tools
Jens Brix Christiansen wrote on Dec 14th, 2009 at 8:53pm:
The basic idea in YaBB 2.4 Forum Software is to allow password reset in maintenance mode.


mmmm maybe just overlooked, and that is really the bug, since ..
Quote:
the purpose of Maintenance Mode to "lock" the forum while the Admin performed Maintenance


Jens Brix Christiansen wrote on Dec 14th, 2009 at 8:53pm:
Here is a scenario:


  "IF" 2 or more Admins (maybe more unlikely happening than a 1,2 or maybe 3 users doing a password reset)
« Last Edit: Dec 14th, 2009 at 11:14pm by »  
Back to top
 
IP Logged
 
Jens Brix Christiansen
YaBB Newcomer
*
Offline



Posts: 26
Location: Frederiksberg, Denmark
Re: CAPTCHA, reset password, maintenance mode
Reply #12 - Dec 14th, 2009 at 8:53pm
Post Tools
Quote:
Willing to allow me, to use Password Reset, while you run Maintenance Functions in a large Live Forum, with the fix above to allow me to do just that ?
mmmmm the "possibilities" of the unknown.

Just to set the record  straight:

The basic idea in YaBB 2.4 is to allow password reset in maintenance mode. The fix that I suggested does not change that; it just fixes a simple bug without passing judgement on the general design issue. Resetting passwords in maintenance mode works in general in YaBB 2.4 as long as the CAPTCHA feature isn't turned on.

If the powers that be decide that the system should not allow reset password functions while in maintenance mode, that design decision can be implemented by removing a few of the other lines in the same general part of YaBB.pl.



Note that even if the reset password function is no longer allowed in maintenance mode, it is still possible (although very unlikely) that files are changed unwittingly in a forum in maintenance mode. Here is a scenario:
  • Admin B gets himself a logon screen and starts filling it out.
  • Admin A, who is already logged on, puts the forum in maintenance mode and performs an action that should be protected by the maintenance mode.
  • Admin B hits the logon button and gets logged on - with a message that maintenance mode is on.

This scenario alters a handful of files while the forum is in maintenance mode, and Admin B has no way of knowing beforehand that now is not a good time to log on.
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
 
  « Board Index ‹ Board  ^Top