Syntax error in email_verify.check.inc, email_verify page security risk

Posted by John Money on April 10, 2009 at 9:09pm

Issue Summary

There is a syntax error in email_verify.check.inc on line 28.

In addition, the access permissions on email_verify page pose a real security/privacy risk since anyone with view access content permission (everyone) can view all other user email addresses. The path should be set to:

admin/users/users/email_verify

and the access arguments should be set to:

administer users

Attached is patch which fixes this (patched against 6.x-1.x-dev 2009-Mar-19).

Attachment	Size
email_verify-admin-users.patch	954 bytes

Comments

#1

Posted by dbr on April 11, 2009 at 11:15am

Thanks for the fixes.

I never documented the verify function, so the risk is smaller, but indeed it can easily be found in the code, so it's safer like this.

The patch is applied to the 6.x-1.x-dev branch.

#2

Posted by dbr on April 27, 2009 at 2:11pm

Status:

needs review

» fixed

This is now fixed in 6.x-1.1

#3

Posted by dbr on April 27, 2009 at 2:11pm

Assigned to:

Anonymous

» dbr

#4

Posted by System Message on May 11, 2009 at 2:20pm

Status:

fixed

» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Project:	Email Verification
Version:	6.x-1.x-dev
Component:	Code
Category:	bug report
Priority:	critical
Assigned:	dbr
Status:	closed (fixed)

Syntax error in email_verify.check.inc, email_verify page security risk

Jump to:

Issue Summary

Comments

#1

#2

#3

#4