Last updated April 20, 2011. Created by greggles on April 20, 2011.
Log in to edit this page.
There are at least two configurations of Drupal core that can lead to situations where the e-mail address of a user is not a valid nor confirmed address.
If another module outside of core allows for similar situations it is not considered a security vulnerability.
Modules should, however, implement flood control to prevent broad abuse of these situations.
1. Immediate registration without validation of e-mail
Drupal 6 and 7 allow site administrators to configure their site to allow access to users immediately after they register. This doesn't require validation of the e-mail address so a malicious user could register on a site using the address of someone they wish to send unsolicited e-mails. They could register a second time and use that second user to send contact messages to the first user account. The could then use a second issue to send yet more mails.
2. Registered users can change their e-mail without verifying the new address
This issue affects Drupal core in 6 and 7. Users can register, whether or not registration requires verification of the email address, and then change their e-mail address after the fact without having to verify the address.
This could be used in a similar manner to the first issue.
There is a module, Email Confirm, and an issue for core to address this problem.