Drupal 4.5 with Listhandler

1. Create mailbox in Mailhandler and assign command 'tid: 10' (where '10' is any relevant forum ID)

2. Create an account with username "email@domain.com"

3. Send message to your new mailbox from email@domain.com

4. Check mail either manually in Mailhandler admin, or by calling cron.php in the browser

5. Whoa! I'm now actually logged in as user email@domain.com - and I don't even know his password!

If a Drupal site has any users whose usernames are email addresses *and* are full site admins, the level of this bug could be extremely severe.

I haven't tried this with either usernames which are not also email addresses, nor with newly-created 'stub' accounts.

Cross-posting to both bug lists since I'm not sure which product has the security issue.

Comments

drumm’s picture

Temporary fix: use .htaccess to disallow access to all hosts except localhost or whatever regularly calls cron.php.


Order Allow,Deny
Allow from 67.100.116.156

drumm’s picture

Temporary fix: use .htaccess to disallow access to all hosts except localhost or whatever regularly calls cron.php.

<Files cron.php>
Order Allow,Deny
Allow from your ip
</Files>

drumm’s picture

Could not confirm using current 4.5 branch by posting comments and new messages.