Drupal 4.5 with Listhandler
1. Create mailbox in Mailhandler and assign command 'tid: 10' (where '10' is any relevant forum ID)
2. Create an account with username "email@domain.com"
3. Send message to your new mailbox from email@domain.com
4. Check mail either manually in Mailhandler admin, or by calling cron.php in the browser
5. Whoa! I'm now actually logged in as user email@domain.com - and I don't even know his password!
If a Drupal site has any users whose usernames are email addresses *and* are full site admins, the level of this bug could be extremely severe.
I haven't tried this with either usernames which are not also email addresses, nor with newly-created 'stub' accounts.
Cross-posting to both bug lists since I'm not sure which product has the security issue.
Comments
Comment #1
drummTemporary fix: use .htaccess to disallow access to all hosts except localhost or whatever regularly calls cron.php.
Order Allow,Deny
Allow from 67.100.116.156
Comment #2
drummTemporary fix: use .htaccess to disallow access to all hosts except localhost or whatever regularly calls cron.php.
<Files cron.php>
Order Allow,Deny
Allow from your ip
</Files>
Comment #3
drummCould not confirm using current 4.5 branch by posting comments and new messages.