## Exploit

The `"mail"` field of the **Recover Password** page can be inspected and edited and anyone. Open `http://10.0.2.15/?page=recover` with Firefox and change the value of the `<input name="mail" …>` element before submitting the request. Alternatively, one may also use a script like the one provided in `reset.bash`.

## Fix

The problem here is that the server is trusting a client-supplied address instead of looking it up server-side. The client should supply a username/account identifier and the server must match it against its email in the database.