diff options
| author | Chris Smith <toonarmy@phpbb.com> | 2009-04-29 18:30:26 +0000 |
|---|---|---|
| committer | Chris Smith <toonarmy@phpbb.com> | 2009-04-29 18:30:26 +0000 |
| commit | de617ed0df64cbdfa238f788eef163c09222f1d0 (patch) | |
| tree | 964011e19bd2e44909a3cf654de79a115ad7e778 /phpBB | |
| parent | 0902ba6d2115cb68532931e10aab64c1035810be (diff) | |
| download | forums-de617ed0df64cbdfa238f788eef163c09222f1d0.tar forums-de617ed0df64cbdfa238f788eef163c09222f1d0.tar.gz forums-de617ed0df64cbdfa238f788eef163c09222f1d0.tar.bz2 forums-de617ed0df64cbdfa238f788eef163c09222f1d0.tar.xz forums-de617ed0df64cbdfa238f788eef163c09222f1d0.zip | |
Minor security problem, discovered internally. Requires the user to know the activation key which is not normally possible when admin activation is turned on. #41625
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9498 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_activate.php | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 14d165b819..986e957237 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -167,6 +167,7 @@ <li>[Feature] db_tools now support create table and drop table.</li> <li>[Feature] Database updater checks for incompatible db schema (MySQL 3.x/4.x against MySQL 4.1.x/5.x/6.x)</li> <li>[Feature] New search option: Maximum number of words allowed to search for.</li> + <li>[Sec] Prevent accounts from being activated by users when admin activation is turned on and the correct activation key is known.</li> </ul> <a name="v303"></a><h3>1.ii. Changes since 3.0.3</h3> diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php index f8aeb2297a..36ab8a0e9b 100644 --- a/phpBB/includes/ucp/ucp_activate.php +++ b/phpBB/includes/ucp/ucp_activate.php @@ -56,6 +56,17 @@ class ucp_activate trigger_error('WRONG_ACTIVATION'); } + // Do not allow activating by non administrators when admin activation is on + // Only activation type the user should be able to do is INACTIVE_REMIND + if ($user_row['user_inactive_reason'] != INACTIVE_REMIND && $config['require_activation'] == USER_ACTIVATION_ADMIN && !$auth->acl_get('a_user')) + { + if (!$user->data['is_registered']) + { + login_box('', $user->lang['NO_AUTH_OPERATION']); + } + trigger_error('NO_AUTH_OPERATION'); + } + $update_password = ($user_row['user_newpasswd']) ? true : false; if ($update_password) |