I believe I found a core bug with elgg registration...
if the user trying to register provides mismatched passwords, they receive an error message however, they become an active user without any notification, leaving their email address and username useless for further registration!
serious problem? Definitely. Can anyone address this?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
I've tested this on the elgg community register and received the same results.
yep - it is a bug ;-(
Oi! Dhrup, any ideas?
Is the best thing to do: make password only 1 field and eliminate $password2 ??
register_user is done before the strcmp($password, $password2) == 0 checking on the passwords and so the user gets registered anyway ;-( the elgg team needs to switch that code around - the validation should be done before the register call.
right.
where can i make these changes, inthe useradd.php file? do i just need to switch around the $guid = $guid = register_user($username, $password, $name, $email, TRUE); and the strcmp($password, $password2) == 0 lines ??
This is what i'm looking at in the useradd.php file:
// For now, just try and register the user
try {
$guid = register_user($username, $password, $name, $email, TRUE);
if (((trim($password) != "") && (strcmp($password, $password2)==0)) && ($guid)) {
$new_user = get_entity($guid);
if (($guid) && ($admin)) {
$new_user->makeAdmin();
}
How could they mess something like that up? That's embarrassing.
guess i'm in a good mood today ;-)
actions/register.php ==>
Bad Code -->
// For now, just try and register the user
try
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
{
$new_user = get_entity($guid);
if (($guid) && ($admin)) {
Good Code -->
// For now, just try and register the user
try
{
if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
$new_user = get_entity($guid);
if (($guid) && ($admin)) {
: )
plz test and report back lolz ;-P
will do!
- Previous
- 1
- 2
- Next
You must log in to post replies.