1
dappe
User activation through Admin unsecure behavior
  • 2004/5/5 7:26

  • dappe

  • Just popping in

  • Posts: 7

  • Since: 2004/3/17


I use XOOPS 2.0.6 for an internal project, i have set up user activation through the administrator.

When a new user registers and the activation-mail is sent to the admin, one can click on the activation-link and then XOOPS pops up in the browser and confirms that the user has been activated, without asking for the admin password.

I think this behavior is highly insecure specially in case of a misconfigured mail-system or even an misspelled admin-email-address.



2
Dave_L
Re: User activation through Admin unsecure behavior
  • 2004/5/5 10:22

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


When you clicked on the activation-link, did you already have your browser open, and were you already logged in (as an admin)?

3
dappe
Re: User activation through Admin unsecure behavior
  • 2004/5/5 10:59

  • dappe

  • Just popping in

  • Posts: 7

  • Since: 2004/3/17


no, no browser process open and not logged in at all during the activation, even after XOOPS confirmed the activation i was not logged in

4
Dave_L
Re: User activation through Admin unsecure behavior
  • 2004/5/5 11:26

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


After looking at the code, it does appear to work as you described. I don't think it's especially insecure, since the activation key is only sent to admins. But it would probably be better to require an admin login.

The fix would be done in user.php, by checking that an admin is currently logged in before calling activateUser(), when $xoopsConfigUser['activation_type'] is 2.

5
DonXoop
Re: User activation through Admin unsecure behavior

I can also confirm that no login is needed. I recently went to admin approval for signups after having some new users signup only to try to crack the site. I quickly noticed the new issue.

Not a terribly big thing since even if the email was hijacked (which you should notice quickly) the worst is that the user gets activated. He won't get admin rights.

Maybe safer to force a login except it makes more work for the admin. I personally don't like to login as admin unless I'm on the VPN and need to do other admin duties.

One hack I did was to append a user's IP address to the signup notice so I can have a record in case of a problem user.

In the long run it might be safest to keep the admin approval method just as it is.

Login

Who's Online

330 user(s) are online (193 user(s) are browsing Support Forums)


Members: 0


Guests: 330


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits