1
ricketno
encrypted mail address in activation mail
  • 2006/1/13 14:11

  • ricketno

  • Just popping in

  • Posts: 8

  • Since: 2005/2/16


Hi guys, what about this hack we made to avoid the visibility of the mail addresses in the activation mail?

In this way a malicious user is not able to create a loop with mail addresses using strings like this one:

http://your_site.com/lostpass.php?email=myemail@mydomain.com&code=f5d2f

this is the crypted link
http://your_site.com/lostpass.php?email=ac512c2a2cf48c528fcbc00874fc9815&code=f5d2f

# lostpass.php #
# AROUND LINE 40 #

#####################################################
# hack : EMAIL ADDRESS CRYPTED IN ACTIVATION MAIL 
#####################################################

#$getuser =& $member_handler->getUsers(new Criteria
#('email', $myts->addSlashes($email)));

if(isset($_GET['code']))
{
$getuser =& $member_handler->getUsers(new Criteria('MD5(email)'$myts->addSlashes($email)));
}
else
{
$getuser =& $member_handler->getUsers(new Criteria('email'$myts->addSlashes($email)));
}
########################################################

# AROUND LINE 100 #

#$xoopsMailer->assign("NEWPWD_LINK", XOOPS_URL."/lostpass.php?email=".$email."&code=".$areyou);   <<<<< HACK EMAIL ADDRESS CRYPTED IN ACTIVATION MAIL 
        
$xoopsMailer->assign("NEWPWD_LINK"XOOPS_URL."/lostpass.php?email=".md5($email)."&code=".$areyou);


Suggestion are welcome!(in particular about better crypt methods)

Thanks

ricketno-osso

Login

Who's Online

350 user(s) are online (253 user(s) are browsing Support Forums)


Members: 0


Guests: 350


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits