Forum: Vertrauen

Incorrect logins, password reset e-mail/hackwarn sending etc.

From Björn Wiberg@2:201/137 to g00r00 on Monday, July 11, 2022 21:45:48

Hello g00r00!

I just noticed the following:

* If someone exceeds the maximum login attempts (enters an incorrect password multiple times), gets prompt #538 (if the e-mail reset feature has been enabled) and then hangs up at that prompt, Mystic appears to send the password reset e-mail despite the fact that the user hung up -- *if* the user had "Yes" selected at the lightbar prompt.

I would have expected it to not send the password reset e-mail but rather the hackwarn e-mail (both if the user denies e-mail reset or hangs up).

* If someone exceeds the maximum login attempts, gets prompt #538, denies e-mail reset, gets prompt #475, chooses to send a password inquiry to the
SysOp and then aborts the message from within the full screen editor, the recipient of the automatic hackwarn message appears to be set to be the SysOp rather than the potentially hacked user.

* If a user attempts to deselect a (single) message base from new scans or QWK new scans, which has New Scan: Forced or QWK Scan: Forced, prompts #302/#406 do not seem to be shown any longer. (I know these prompts were unexpectedly shown earlier when selecting/deselecting *all* bases, which was
fixed in the 07/11 A48, but perhaps that fix also affected this?)

Hoping you can take a look at this whenever you get some time.

Many thanks in advance!

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/11 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From g00r00@1:129/215 to Björn Wiberg on Monday, July 11, 2022 16:25:53

* If someone exceeds the maximum login attempts (enters an incorrect password multiple times), gets prompt #538 (if the e-mail reset feature has been enabled) and then hangs up at that prompt, Mystic appears to
send the password reset e-mail despite the fact that the user hung up --

I have cleaned this up so it will simply shut down the node and do nothing, since the user never actually asked for the e-mail.

* If a user attempts to deselect a (single) message base from new scans
or QWK new scans, which has New Scan: Forced or QWK Scan: Forced,
prompts #302/#406 do not seem to be shown any longer. (I know these

I think I might have it right this time in the next build.

* If someone exceeds the maximum login attempts, gets prompt #538, denies e-mail reset, gets prompt #475, chooses to send a password inquiry to the SysOp and then aborts the message from within the full screen editor, the recipient of the automatic hackwarn message appears to be set to be the SysOp rather than the potentially hacked user.

Should be fixed in the next build thank you!

... Everyone is entitled to my opinion!

--- Mystic BBS v1.12 A48 2022/07/11 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From Björn Wiberg@2:201/137 to g00r00 on Tuesday, July 12, 2022 10:34:00

Hello g00r00!

Thank you for your message!

On 11 Jul 2022, g00r00 said the following...

* If someone exceeds the maximum login attempts (enters an incorrect password multiple times), gets prompt #538 (if the e-mail reset featu has been enabled) and then hangs up at that prompt, Mystic appears to send the password reset e-mail despite the fact that the user hung up

I have cleaned this up so it will simply shut down the node and do nothing, since the user never actually asked for the e-mail.

Thanks! But it will send a hackwarn message to the user before shutting down, right? As otherwise someone can repeatedly hang up at the password reset prompt and the user will never know about the failed login attempts...

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/11 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From g00r00@1:129/215 to Björn Wiberg on Tuesday, July 12, 2022 08:45:43

* If someone exceeds the maximum login attempts (enters an incor password multiple times), gets prompt #538 (if the e-mail reset has been enabled) and then hangs up at that prompt, Mystic appea send the password reset e-mail despite the fact that the user hu

I have cleaned this up so it will simply shut down the node and do nothing, since the user never actually asked for the e-mail.

Thanks! But it will send a hackwarn message to the user before shutting down, right? As otherwise someone can repeatedly hang up at the password reset prompt and the user will never know about the failed login attempts...

Yes, it should still send the hackwarn notification before shutting down. If it doesn't let me know! :)

... System halted - Press all keys at once to continue

--- Mystic BBS v1.12 A48 2022/07/11 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From Björn Wiberg@2:201/137 to g00r00 on Tuesday, July 12, 2022 21:26:24

Hello g00r00!

On 12 Jul 2022, g00r00 said the following...

Yes, it should still send the hackwarn notification before shutting
down. If it doesn't let me know! :)

Sounds great!

(Please let me know once the next build with all those fixes has been published, and I'll be happy to test all the password reset/e-mail validation stuff again!)

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/11 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From g00r00@1:129/215 to Björn Wiberg on Wednesday, July 13, 2022 10:58:08

(Please let me know once the next build with all those fixes has been published, and I'll be happy to test all the password reset/e-mail validation stuff again!)

There should be a new build up now for you to try!

... There's no present. There's only the immediate future and the recent past

--- Mystic BBS v1.12 A48 2022/07/13 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From Björn Wiberg@2:201/137 to g00r00 on Wednesday, July 13, 2022 20:22:24

Hello g00r00!

Thank you for your message!

On 13 Jul 2022, g00r00 said the following...

published, and I'll be happy to test all the password reset/e-mail validation stuff again!)

There should be a new build up now for you to try!

Thanks! The logic for sending hackwarn messages seems to be working just fine now! I think I tried all possible combinations of yes/no, correct/incorrect
answers and hanging up at different points. :)

It also finds pwreset.ini and emailval.ini correctly now.

However, it appears to send the entire file instead of only the text in the [Text] stanza. (I have textmci = true if that would make any difference.) Same thing for both pwreset.ini and emailval.ini.

So the e-mail text looks like a copy of the .ini file but with MCI codes replaced everywhere, also in the comments. :-D

Example (e-mail text resulting from pwreset.ini):

;
; IRFXYQDP will be replaced in the [Text] section with the code required
; for password reset. Traditional MCI codes are available for from and
; subject lines but not in Text unless enabled by setting textmci to true

[General]
from_name = Star Collision BBS
from_addr = scbbs-no-reply@xyz.com
subject = Password reset code for Star Collision BBS
textmci = true

[Text]
This is an automated message from Star Collision BBS.

Please enter the following code when prompted by the BBS
to reset your password:

IRFXYQDP

IMPORTANT NOTE: This e-mail was sent from an UNMONITORED e-mail address
and SHOULD NOT BE REPLIED TO. If you need to contact the SysOp, please
send an e-mail to scbbs-sysop@xyz.com instead!

Hoping that you can take a look at that when you have time.

Thanks in advance! =)

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/13 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From g00r00@1:129/215 to Björn Wiberg on Wednesday, July 13, 2022 17:24:39

However, it appears to send the entire file instead of only the text in the [Text] stanza. (I have textmci = true if that would make any difference.) Same thing for both pwreset.ini and emailval.ini.

Thats pretty funny.

Okay thanks I will check into that and get it fixed up!

... Everyone has a photographic memory. Some don't have film.

--- Mystic BBS v1.12 A48 2022/07/13 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From Björn Wiberg@2:201/137 to g00r00 on Thursday, July 14, 2022 20:12:58

Hello g00r00!

Thank you for your message!

On 13 Jul 2022, g00r00 said the following...

However, it appears to send the entire file instead of only the text the [Text] stanza. (I have textmci = true if that would make any

Thats pretty funny.
Okay thanks I will check into that and get it fixed up!

Thanks a lot! It is much appreciated!

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/13 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From Björn Wiberg@2:201/137 to g00r00 on Monday, July 18, 2022 21:11:40

Hello g00r00!

On 14 Jul 2022, Björn Wiberg said the following...

However, it appears to send the entire file instead of only the the [Text] stanza. (I have textmci = true if that would make any

Thats pretty funny.
Okay thanks I will check into that and get it fixed up!

Thanks a lot! It is much appreciated!

Just wanted to let you know that this seems to be working fine now in the latest published build. Thanks a lot for fixing this!

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From Björn Wiberg@2:201/137 to g00r00 on Monday, July 18, 2022 21:51:50

Hello again, g00r00!

On 13 Jul 2022, Björn Wiberg said the following...

Thanks! The logic for sending hackwarn messages seems to be working just fine now! I think I tried all possible combinations of yes/no, correct/incorrect answers and hanging up at different points. :)

OK, so this might be more or less harmless, but...

If the user correctly enters the password reset code (prompt #542) and hangs up during the actual password change (at prompt #543 or #544), a hackwarn message is sent to the user.

It would be nice if the hackwarn sending gets disabled as soon as the user has entered the correct password reset code (I think).

Just wanted to mention this special case.

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

From g00r00@1:129/215 to Björn Wiberg on Monday, July 18, 2022 18:16:48

However, it appears to send the entire file instead of only

Thats pretty funny.
Okay thanks I will check into that and get it fixed up!

Thanks a lot! It is much appreciated!

Thanks for letting me know!

... There is an exception to every rule, except this one.

--- Mystic BBS v1.12 A48 2022/07/15 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From g00r00@1:129/215 to Björn Wiberg on Monday, July 18, 2022 18:50:32

OK, so this might be more or less harmless, but...

If the user correctly enters the password reset code (prompt #542) and hangs up during the actual password change (at prompt #543 or #544), a hackwarn message is sent to the user.

It would be nice if the hackwarn sending gets disabled as soon as the
user has entered the correct password reset code (I think).

I will change this in the next build. Please give it a test when you can!

... Oxymoron: Race walking

--- Mystic BBS v1.12 A48 2022/07/15 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

From Björn Wiberg@2:201/137 to g00r00 on Tuesday, July 19, 2022 18:31:06

Hello g00r00!

Thank you for your message!

On 18 Jul 2022, g00r00 said the following...

It would be nice if the hackwarn sending gets disabled as soon as the user has entered the correct password reset code (I think).

I will change this in the next build. Please give it a test when you
can!

Thanks, will do -- just let me know as soon as the next build has been published and I'll try it out! =)

Best regards
Björn

--- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

Who's Online

System Info

Sysop:	digital man
Location:	Riverside County, California
Users:	1,049
Nodes:	15 (0 / 15)
Uptime:	91:09:59
Calls:	236,067
Calls today:	2
Files:	60,366
D/L today:	36 files (15,627K bytes)
Messages:	290,095

Incorrect logins, password reset e-mail/hackwarn sending etc.

Who's Online

System Info