From 70e5ffe5f887679b10b6c6ac8a14b1f128efbb52 Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Mon, 14 May 2012 11:59:23 -0700 Subject: Setting the useradd action's access to admin instead of public. --- CHANGES.txt | 1 + engine/lib/users.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES.txt b/CHANGES.txt index a7e14331d..f5cacac29 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,7 @@ Version 1.8.5 Security Enhancements: * Fixed possible XSS vulnerability if using a crafted URL. + * Fixed exploit to bypass new user validation if using a crafted form. Bugfixes: * Twitter API: New users are forwarded to the correct page after creating diff --git a/engine/lib/users.php b/engine/lib/users.php index 6a881777e..e209f2c38 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1551,7 +1551,7 @@ function users_init() { elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu'); elgg_register_action('register', '', 'public'); - elgg_register_action('useradd', '', 'public'); + elgg_register_action('useradd', '', 'admin'); elgg_register_action('friends/add'); elgg_register_action('friends/remove'); elgg_register_action('avatar/upload'); -- cgit v1.2.3