glFusion CMS 1.7.9 Arbitrary user registration vulnerability #485
Comments
|
That's true, but I'm not sure now much of a problem it is. If the
malicious user uses a valid email address, the activation email will be
sent to the real email account holder. If the submission queue is used, the
email is sent upon approval. If the user submission is rejected, the record
is deleted and available for re-registration.
I suppose it wouldn't hurt to send an email to the new user even if queued,
saying "your account is pending approval"
…On Wed, Dec 8, 2021 at 10:18 PM Topsec_bunney ***@***.***> wrote:
**There is a logical problem with the user registration page
After clicking the register button, the user does not need to confirm the
email. The system directly saves the submitted content in the database.
This leads to a problem. An attacker can register with the mailbox of any
user. When users want to register, they will find that the mailbox has been
occupied.**
[image: firefox_0LibhucPYT]
<https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#485>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
That would be a good security notice to tell someone that someone else is trying to use their email address.
|
|
User registration only has 3 paths - user is queued - in which case the user will receive an email when the account is approved - or the user is emailed their initial password - or the user enters their own password and receives a verification email. All 3 methods require the user to receive an email to proceed. So if your email is spoofed, you will be notified. Currently, there are user administration tools that allow a site admin to manually purge accounts that never verified, etc. I do think implementing a automatic purge of non-verified or non-logged into accounts after a configurable time period would be of value. |
|
Move to 2.1.0 milestone - add capability in glFusion's cron to automatically purge aged accounts that have never logged in or completed validation step. |
**There is a logical problem with the user registration page
After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database.
This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.**
The text was updated successfully, but these errors were encountered: