Exploit: Email validation can be circumvented

[jbk]

Issue:

A user may validate an email address (or any string containing @) by manually calculating and providing the challenge response URL which is sent to the email address.

Affected projects: Projects using the email validation field in the user database table. By default email validation is switched off.

Details:

The challenge URL contains 3 parameters:

1. first parameter is validate which is always set to 1 when validating.
2. The second parameter is the userid for which to validate the URL. The user knows this piece of information
3. The third parameter is the md5 hash of: the email to validate concatenated with the user's authenticator. The authenticator is known to the user or can be lifted from the session cookie or from a client running on the user's machine. Similarly the email to validate is known to the user.

How to replicate:

1. Go to any project with email validation and enter a bogus email.
2. calculate the md5 sum of this email concatenated with your account key
3. Do a GET request to validate_email_addr.php?validate=1&u=USERID&x=THE_MD5_SUM

Suggested solution:

A challenge of this kind should always contain a random factor which is unknown to the user. A good idea is to set a random seed in the database and use this together with the email hash and authenticator when generating the challenge URL. When the user clicks the URL it is then compared with the seed and other information stored in the database.

[davea]

(In [15813]) - fix bug that made email address validation worthless

(from Janus K.). Fixes #718