Email password using pear causing server errors

Hi There

I have had to switch the request passworsd feature on one of my sites to use pear as the email address now requires authentication.

i have switched the registration to use pear which is working fine, so not sure why the request password email is no working

When i fill out the email address and security question i get redirected to a page wigth the following url: &EmailFail=true

I cant find anywhere in the related pages where the EmailFail is set the urls for succsess/failure i have set to:

"successRedirect" => "/access/login/?emailedPassword=1"
"failRedirect" => "/access/forgotpassword/?notFound=1"

i dont know why its redirecting to the aforementioned url, its causing an internal server error:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (&).]
System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +9023209
System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59


i have atached the relevant files in a zip if could have a look at them please and see if you can find why its not working.

Just an update to where i am at with this problem:

he redirect url generated by the forgotpassword behaviour is adding an & to the url insead of adding a ?
&EmailFail=true
should be
?EmailFail=true
this is why is generating an internal server errror

i am using the framework and all the pages are loaded in via an index.php page

using a $_GET['page'] variable to determine which page to load in.

i am also using an .htacess file to make my urls pretty.

so instead of havinghttp://www.albionwineshippers.co.uk/access/index.php?page=forgotpassword
i have http://www.albionwineshippers.co.uk/access/forgotpassword/

just as a test i edited the webassist/security_assist/helper_php.php page

and change the following lines:

if ($WA_UserFound)  {

            $WA_Auth_Parameter["failRedirect"] = ((strpos($WA_Auth_Parameter["failRedirect"], '?') === false)?"?":"&")."EmailFail=true";

        } else {

            $WA_Auth_Parameter["failRedirect"] = ((strpos($WA_Auth_Parameter["failRedirect"], '?') === false)?"?":"&")."notFound=true";

        }

to:

if ($WA_UserFound)  {

            $WA_Auth_Parameter["failRedirect"] = ((strpos($WA_Auth_Parameter["failRedirect"], '?') === false)?"?":"[red]?[/red]")."EmailFail=true";

        } else {

            $WA_Auth_Parameter["failRedirect"] = ((strpos($WA_Auth_Parameter["failRedirect"], '?') === false)?"?":"[red]?[/red]")."notFound=true";

        }

this fixes the internal server error, but the actual request password still fails (it uses the EmailFail parameter), the email address is in the database (i have checked the record exists) so why its failing i do not know, i can even log-in with it.
this is the next problem to solve.

I have created a support ticket so we can look into this issue further.

To view and edit your support ticket, please log into your support history:
supporthistory.php

If anyone else is experiencing this same issue, please append to this thread.