View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001734||Anope Stable (2.0.x series)||General||public||2020-01-10 00:53||2020-01-10 00:53|
|Summary||0001734: NS CONFIRM token from NS RESETPASS confirms a user|
|Description||This issue is related to nickserv/confirm. When an unconfirmed user use a CONFIRM command given by RESETPASS in email (i.e. CONFIRM [nick] [securitytoken]), his nick is automatically confirmed as would have confirmed by an operator.|
I think this behavior is not usual and password recovery should not confirm an unconfirmed user, thus I consider it a bug. I have found it in all earlier versions including the latest 2.0.7.
|Steps To Reproduce||1. Enable "ns_register" module with `registration = "admin"` option in order to manually approve nicks.|
2. Register as a new user normally e.g. /ns register password email
Right now the nick status is unconfirmed and only should be approved by an administrator
3. Now a user could easily bypass the restriction and become confirmed by sending himself a /ns resetpass token and using it. The /ns confirm command crafted by resetpass makes him a confirmed user.
|Tags||No tags attached.|