How can that be?Darthmat wrote:A forum I belong to has been hacked that way.
I've never had any of my email accounts cracked. Like was said, stronger passwords. And if the user uses the same password for email as they do your site and other sites, then the strongest password in the world won't keep them from getting owned. And the word is "more" not "moar."Darthmat wrote:No, it wasn't. I would just like to know how to disable the option for admins and mods, because email hacking is not that hard.
Actually it did. But that's just a pet peeve of mine, don't mind me.Darthmat wrote:I little chat speak never hurt anyone.
Thinking about it, I don't think it'd be too difficult, but you'll need a MOD for it. Without looking at the code, I think all you'll have to do is set an auth for groups of your choosing and check that auth in the forgot password.But I would still like to know how to do this, whether it be phpBB's fault or not.
Code: Select all
<!-- IF not U_MCP or not U_ACP --> //show the link <!-- ENDIF -->
That would work in phpBB2, but not 3 because of the way phpBB3 handles permissions. That's why I suggested the extra auth, as it would use the permission masks.MartectX wrote:I'd try and tamper with ucp.php's "sendpassword": check the provided username if it's a mod or admin and (if yes) stop the processing.