Issue raised by philwild as a potential security problem.
A user is able to gain access to a drupal website with logintoboggan installed.
Procedure:
1. Create new account
2. Enter details including password etc under logintoboggan
3. Upon completion, receive message that your account is pending admin approval.
4. As administrator, can see on site that the new user is in logintoboggan "unverified" state.
5. Logout the new account and then select "Request new password"
6. You receive the one time login email.
7. Click on the link in the one time email and set a new password.
8. The account is now no longer in the "unverified" state and the hacker has access prior to admin approval being granted.
Comments
Comment #1
stevecowie commentedThere is a clash between Drupal core's logic for user approval and the model in Login Toboggan. In core, the setting for account needing admin approval means that a registered user is assigned the 'authenticated user' role but is blocked pending approval. Once the admin approves the user, s/he becomes active and gets notified by email. LT has a setting for immediate login, which can only operate if the user is active, so its recommended model is create a new role called something like 'unverified user' with very limited permissions. Once the user verifies the user email address, s/he gets moved from 'unverified user' to 'authenticated user'. In other words, the logic assumed by LT is that core has been configured to allow users to create accounts without needing approval.
I've been discussing this at some length with @md2 and come to the conclusion that although this is not a security problem we could improve how LT plays with core. Our thoughts are to provide an interim solution of better warnings so if you have core configured to need admin approval but have LT configured to allow immediate login and don't have a temporary role, you get a warning on loading admin pages. In addition, we can see a case for preventing users getting moved from temporary role to authenticated user even if they do verify their email, if core is configured to require admin approval. However, even if we add that, it still creates a maintenance headache for site builders as they have to modify their email notifications for password resets and email verifications.
Comment #2
stevecowie commentedVersion no longer supported