From: Brett Profitt <brett.profitt@gmail.com>
Date: Mon, 14 May 2012 18:59:23 +0000 (-0700)
Subject: Setting the useradd action's access to admin instead of public.
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=70e5ffe5f887679b10b6c6ac8a14b1f128efbb52;p=lorea%2Felgg.git

Setting the useradd action's access to admin instead of public.
---

diff --git a/CHANGES.txt b/CHANGES.txt
index a7e14331d..f5cacac29 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,7 @@ Version 1.8.5
 
  Security Enhancements:
   * Fixed possible XSS vulnerability if using a crafted URL.
+  * Fixed exploit to bypass new user validation if using a crafted form.
 
  Bugfixes:
    * Twitter API: New users are forwarded to the correct page after creating 
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 6a881777e..e209f2c38 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1551,7 +1551,7 @@ function users_init() {
 	elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu');
 
 	elgg_register_action('register', '', 'public');
-	elgg_register_action('useradd', '', 'public');
+	elgg_register_action('useradd', '', 'admin');
 	elgg_register_action('friends/add');
 	elgg_register_action('friends/remove');
 	elgg_register_action('avatar/upload');