vb.org Archive - Exploit related to forced password reset email?

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - Exploit related to forced password reset email? (https://vborg.vbsupport.ru/showthread.php?t=322264)

WillyWonkaBar

04-01-2016 01:21 AM

Exploit related to forced password reset email?

We had about 30 users write in today that they received password reset email notifications, but didn't request them.

Is anybody aware of an exploit that might make use of this? We did block a connection that appears to have been either scraping the site, looking for a user list to possibly perform these password resets, or doing something else nefarious.

We did have an issue with the mail queue growing quite large, larger than what our mail queue batch setting could keep up with.

I'm betting the mail queue issue is related to these password reset email notifications going out. I've reviewed the notifications received, and they look correct. No bad URLs or missing usernames.

Has anybody experiencing something similar to this?

Thanks!

WWB

Dave	04-01-2016 05:26 AM

Anyone can request those emails to be sent from login.php?do=lostpw.
Or is that not what you're talking about?

WillyWonkaBar

04-01-2016 03:04 PM

No, you're correct. We have that page. But you need to specify an email address and complete recaptcha v2.

These users did not request the password reset. So somebody else did.

So that somebody would have to know the email addresses, correct? Maybe a bot guessing email addresses, or using their own list against our website?

Again, I'm more trying to determine that if it was somebody with malicious intent, what could they gain going this route. It only makes sense to me if they have access to the email account in question, and then even in that scenario, they'd have to figure out admin account email addresses. Again, if they're after access.

There's also the possibility that this was a DOS attack, or attack on VB's mail queue. Our mail queue, around the same time these support requests came in, swelled to 7000 msgs, which the mail queue process scheduled task couldn't keep up with based on our settings.

Or maybe this was just a site scraper.

Dave	04-01-2016 03:26 PM

I doubt it will do any harm besides filling up your mail queue. There's not a whole lot to do against it since it's just a public page.

Have you checked the access logs for GET/POST requests sent to login.php?do=lostpw? Maybe you can get some more information regarding who did it by looking at the access logs.

WillyWonkaBar

04-01-2016 03:47 PM

Thanks for the suggestion, Dave. I check the logs and report back.

All times are GMT. The time now is 11:55 PM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.00973 seconds Memory Usage 1,713KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (5)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: