In my quest to customize an "Activation URL Resend Routine"
www.joomlapolis.com/component/option,com_joomlaboard/Itemid,38/func,view/catid,31/id,14641#14641/
I uncovered the truth, and ironically proved my own expectation was true:
The activation URL that is sent is merely a simple call to md5(), passing the row id as the parameter. ...the issue? The key is not secure.
Technically, if someone wanted to, they could loop through a select statement generating custom activation URLs that would "activate" the user (row) associated with the ID.
One example of such:
Using MySQL, this would create Activation URLs for records 1, 10 and 50 in the jos_comprofiler table.
[code:1]
select concat( '
www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 1 ) ) as confirm_url
union
select concat( '
www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 10 ) )
union
select concat( '
www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 50 ) )
[/code:1]
The feature request is to create some type of randomly encryption SALT for alternate encryption during installation. Possibly an alternate confirmation code method? In short, provide an easily added layer of security.
While I don't see this is as that large of potential flaw, it probably should be considered in the next release/update of CB. Realistically, all this really means is that a user could register with a bunk email address, attempt to force activate his account by programatically iterating across a set of custom activation URLs, and log in to a site without ever have confirming an email. Further, this could spoil the confirmation process of ALL other IDs as well, tainting the accuracy of valid emails in your user tables.
Post edited by: moneybagsxp, at: 2006/07/10 22:06