Syntax error in email_verify.check.inc, email_verify page security risk [#430360]

There is a syntax error in email_verify.check.inc on line 28.

In addition, the access permissions on email_verify page pose a real security/privacy risk since anyone with view access content permission (everyone) can view all other user email addresses. The path should be set to:

admin/users/users/email_verify

and the access arguments should be set to:

administer users

Attached is patch which fixes this (patched against 6.x-1.x-dev 2009-Mar-19).

Comment	File	Size	Author
	email_verify-admin-users.patch	954 bytes	john.money

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

dbr CreditAttribution: dbr commented 11 April 2009 at 11:15

Thanks for the fixes.

I never documented the verify function, so the risk is smaller, but indeed it can easily be found in the code, so it's safer like this.

The patch is applied to the 6.x-1.x-dev branch.

Comment #2

dbr CreditAttribution: dbr commented 27 April 2009 at 14:11

Status:

Needs review

» Fixed

This is now fixed in 6.x-1.1

Comment #3

dbr CreditAttribution: dbr commented 27 April 2009 at 14:11

Assigned:

Unassigned

» dbr

Comment #4

11 May 2009 at 14:20

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Syntax error in email_verify.check.inc, email_verify page security risk

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community