22 Feb
2009
22 Feb
'09
12:05 p.m.
Hi,
I just realized, the password recovery function unveils a user's password.
In a wiki with registration, and Email verification, where the XWiki
space must currently be enabled to be viewed by everybdy, this could
be used by spammers(and others who like to collect email addresses) to
harvest email addresses by caling the resetpassword function for every
user they see on the "AllUsers" page.
I'd propose to not show the Email address to which a password reminder is sent.
Henning
--
Henning Sprang
http://www.sprang.de | http://lazyb0y.blogspot.com/