[Security] Email and password changing

6 Apr Edited
#1
https://community.mybb.com/post-1114226.html This is a massive security vulnerability, the change email page is directly accessible.

- Permission setting to change password and email for usergroups.
- Username changes are moderator approvable, this functionality should be provided with password and email changes.
- Enforce email verification for password and email changes.
- Previous email, date and IP logging for email and password changes.
- Failed login attempts logging between password and email changes.
- IP and date logging for password reset requests.
- Lookup accounts with password/email changed from IP range.

Secondary plugin:
- Message and title filter for thread creation in sub-forums that prevents posting and responds with customizable instructions.
- Message and title filter for PM's and contact page which would disable(IP and cookie block) PM'ing and contacting through the contact page until further notice. This should be a flag in the database that can be modified externally and it would eventually update in the Task Manager.
Shade 6 Apr
#2
I can work on the first one. I have to do some brainstorming but it might be a Basic to Advanced-tier plugin. Don’t expect it before end of July/August.

Please open a thread per each plugin request.

PS: there is no security vulnerability. Both pages are only accessible if logged in.
Kalju 6 Apr Edited
#3
The point is to stop users from being able to change email and password and the info provided in that thread just hides the buttons without removing the functionality.

I have it implemented by just copying the permission code from "can change username".
Shade 6 Apr
#4
So you don't need it anymore?
Kalju 7 Apr
#5
Still need the logging data.
Shade 7 Apr Edited
#6
Alright, will add to my to-do list.