Email addresses are currently stored unchecked for mailing passwords or
EmailUser. Any *potential* security hole in php mail() or PEAR:Mail function as
called in UserMailer.php could be exploited by entering pseudo addresses which
do something unwanted.
Remark: I do not mean the email authentication as described in
http://bugzilla.wikipedia.org/show_bug.cgi?id=866 , which only authenticates
addresses for the "higher" functions such as EmailUser and Enotif. But please be
reminded, that the "I forgot my password" mails are sent to un-authenticated
addresses anyway.
Proposed is
(a) converting to all lower case
(b) a check for valid mail address strings
The Enotif and Email Authentification patches 454 and 866 are coming with
solutions to this bug, as they only allow users to store one email address which
matches the regular expression
^([a-z0-9_.-]+([a-z0-9_.-]+)*\@[a-z0-9_-]+([a-z0-9_.-]+)*([a-z.]{2,})+)$
I gave provisionally highest priority to this bug.
A fix is easy be checking the user entered (dirty=unauthenticated) email address
simply before storing in SpecialUserlogin.php against the above regular
expression. In case of not matching address, an empty (blank) string address can
be provisonally stored in table user.
I repeat: my Enotif and my Email authentication procedure will be published with
a solution to this problem.
Version: unspecified
Severity: enhancement
URL: http://www.faqs.org/rfcs/rfc2822.html