View Issue Details

IDProjectCategoryView StatusLast Update
0001734Anope Stable (2.0.x series)Generalpublic2020-01-10 00:53
Reporterbarghain Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0001734: NS CONFIRM token from NS RESETPASS confirms a user
DescriptionThis issue is related to nickserv/confirm. When an unconfirmed user use a CONFIRM command given by RESETPASS in email (i.e. CONFIRM [nick] [securitytoken]), his nick is automatically confirmed as would have confirmed by an operator.

I think this behavior is not usual and password recovery should not confirm an unconfirmed user, thus I consider it a bug. I have found it in all earlier versions including the latest 2.0.7.
Steps To Reproduce1. Enable "ns_register" module with `registration = "admin"` option in order to manually approve nicks.

2. Register as a new user normally e.g. /ns register password email
   Right now the nick status is unconfirmed and only should be approved by an administrator

3. Now a user could easily bypass the restriction and become confirmed by sending himself a /ns resetpass token and using it. The /ns confirm command crafted by resetpass makes him a confirmed user.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-01-10 00:53 barghain New Issue