Looks like for now default password reset page (the one that is the user redirected to in email and requites to enter the new password) lacks https, so new user password is sent in plaintext and can be read by third parties.

http://outof.cards/accounts/reset/NDE2/{id} should be https instead, as http version redirects to

http://outof.cards/accounts/reset/NDE2/set-password/ where the password form is.

The perfect solution would be not only change email link, but also make http security related pages https only and redirect http GET requests to them.

Plaittext request contains the following body:  csrfmiddlewaretoken=TOKEN&new_password1=123456&new_password2=123456

so getting it the attacker can easily get new user password.

... looks like now I can only "Quote" my own messages, and not the messages of other users (forum Quote button is useless for now).

Instead I think user should be able to Quote any message (written by any user) which belongs to threads he authorized to view.

Second issue looks fixed with no further problems.

Hi!

It looks like you have an issue with authorization using "comments/quote" rest method.

As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.

For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."

Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.