| |
| |
|
|
|
|
| |
|
| |
|
| :: |
| Author |
Message |
ultimatehandyman
PR2
Joined: 15 Mar 2007
Posts: 224
|
 Posted: Thu Jun 14, 2007 11:42 am Post subject: PHPBB potential security flaw |
|
|
Hi,
I have just realised that there could be a potential flaw with phpbb.
When people sign up to become a member they add their e-mail address and then click on the confirmation link.
As soon as they have done this they can log in and change their e-mail address, someone has done this recently on my forum.
No big deal you might be thinking.
Now lets say that I have a competing website and I want to cause trouble on another forum, lets call this forum1. I join forum1 and then log into the profile and change my e-mail address from my genuine address to an e-mail address such as admin@forum2 I then go and make some posts and send out some pm's and generally cause trouble on the site.
The site admin logs into the control panel and checks out the e-mail address of the trouble maker and it is admin@forum2 now the site admin is furious that the admin from forum 2 has come to his forum, had the cheek to sign up and then caused a load of trouble, although the admin of forum 2 knows nothing about it!
Members being able to change their e-mail address is not a good idea IMHO
Does anyone have any suggestions?
Thanks
chez |
_________________
DIY | DIY directory |DIY forum |
|
| Back to top |
|
 |
|
|
HB
phpBB SEO Team
Joined: 16 Oct 2006
Posts: 831
|
| Posted: Thu Jun 14, 2007 9:11 pm Post subject: Re: PHPBB potential security flaw |
|
|
| I just tried it. Updating the e-mail displayed a message about "vital information being changed" and the account was inactivated. Since the joker doesn't have a genuine e-mail on forum2, they can't re-activate the account. |
_________________
Dan Kehn |
|
| Back to top |
|
|
ultimatehandyman
PR2
Joined: 15 Mar 2007
Posts: 224
|
| Posted: Fri Jun 15, 2007 3:01 pm Post subject: Re: PHPBB potential security flaw |
|
|
| HB wrote: | | I just tried it. Updating the e-mail displayed a message about "vital information being changed" and the account was inactivated. Since the joker doesn't have a genuine e-mail on forum2, they can't re-activate the account. |
I tried it on someone elses forum and it let me change the e-mail address and then I logged back in with no problems at all 
Perhaps their phpbb version is not up to date?
I will test it out on my own forum asap |
_________________
DIY | DIY directory |DIY forum |
|
| Back to top |
|
|
ultimatehandyman
PR2
Joined: 15 Mar 2007
Posts: 224
|
| Posted: Fri Jun 15, 2007 3:34 pm Post subject: Re: PHPBB potential security flaw |
|
|
| HB wrote: | | I just tried it. Updating the e-mail displayed a message about "vital information being changed" and the account was inactivated. Since the joker doesn't have a genuine e-mail on forum2, they can't re-activate the account. |
You are correct Dan, it does not work on my forum either!
A guy joined my forum and used his real name @e-mail.com and when I checked again it had been changed to something@hotmail.com. The reason why I wanted to get the guys real name is because he kept coming into my forum and posting links to a tool site, which I think this guy works for and so I was going to get his name from his e-mail and ring the company and ask for him  Then if he answered I would ban him.
Now as for the e-mail change on earlier versions, I have done this because a spammer from a similar forum joined mine and spammed it and so I joined his forum and then changed my e-mail to a false one and it let me, with no problem at all! |
_________________
DIY | DIY directory |DIY forum |
|
| Back to top |
|
|
falkra
PR1
Joined: 11 Mar 2007
Posts: 182
|
| Posted: Fri Jun 15, 2007 3:57 pm Post subject: Re: PHPBB potential security flaw |
|
|
| Modifying mail in profile deactivates the account. Maybe only when phpBB is configured with account mail activation. |
_________________
 |
|
| Back to top |
|
|
|
|
| Navigation |
Similar Topics |
|
|
|
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
