aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES.txt1
-rw-r--r--engine/lib/users.php2
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index a7e14331d..f5cacac29 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,7 @@ Version 1.8.5
Security Enhancements:
* Fixed possible XSS vulnerability if using a crafted URL.
+ * Fixed exploit to bypass new user validation if using a crafted form.
Bugfixes:
* Twitter API: New users are forwarded to the correct page after creating
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 6a881777e..e209f2c38 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1551,7 +1551,7 @@ function users_init() {
elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu');
elgg_register_action('register', '', 'public');
- elgg_register_action('useradd', '', 'public');
+ elgg_register_action('useradd', '', 'admin');
elgg_register_action('friends/add');
elgg_register_action('friends/remove');
elgg_register_action('avatar/upload');