Setting the useradd action's access to admin instead of public.

author Brett Profitt <brett.profitt@gmail.com>

Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)

committer Brett Profitt <brett.profitt@gmail.com>

Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)
author Brett Profitt <brett.profitt@gmail.com>
Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)
committer Brett Profitt <brett.profitt@gmail.com>
Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)
diff --git a/CHANGES.txt b/CHANGES.txt

index a7e14331d02559a2ac781fb683367dac6f25d5d1..f5cacac29dd4464882f03a6eebc6da2f322e8329 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,7 @@ Version 1.8.5
  
   Security Enhancements:
    * Fixed possible XSS vulnerability if using a crafted URL.
+  * Fixed exploit to bypass new user validation if using a crafted form.
  
   Bugfixes:
     * Twitter API: New users are forwarded to the correct page after creating 
diff --git a/engine/lib/users.php b/engine/lib/users.php

index 6a881777e32b2b611b67da05b1c5f0d56b8c7826..e209f2c388788f4df5c009cc006022eca3d5bce2 100644 (file)
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1551,7 +1551,7 @@ function users_init() {
         elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu');
  
         elgg_register_action('register', '', 'public');
-       elgg_register_action('useradd', '', 'public');
+       elgg_register_action('useradd', '', 'admin');
         elgg_register_action('friends/add');
         elgg_register_action('friends/remove');
         elgg_register_action('avatar/upload');
author	Brett Profitt <brett.profitt@gmail.com>
	Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)
committer	Brett Profitt <brett.profitt@gmail.com>
	Mon, 14 May 2012 18:59:23 +0000 (11:59 -0700)
CHANGES.txt		patch \| blob \| history
engine/lib/users.php		patch \| blob \| history