Page MenuHomePhabricator
Create Task
Maniphest T4469

Security Advisory: Bypass of `auth.email-domains`
Closed, ResolvedPublic
Actions

Description

We've recently fixed several issues which allowed an attacker to bypass the auth.email-domains setting and register an account without controlling a valid email address.

You are vulnerable if: you have at least one registration-enabled auth provider which an attacker could register an account on (like email, Google, or Facebook, but usually not LDAP); you rely on auth.email-domains to restrict registrations; and you have disabled the administrative approval queue.

Even if you are not vulnerable, the fixes for these issues harden Phabricator against attacks of this class, and all installs are advised to upgrade.

If you don't want to upgrade immediately, a workaround is to enable the approval queue (auth.require-approval) and manually approve registrations until you have a chance to upgrade.

Event Timeline

epriestley created this task.Feb 24 2014, 12:51 AM
epriestley closed this task as Resolved.
epriestley claimed this task.
epriestley raised the priority of this task from to High.
epriestley updated the task description. (Show Details)
epriestley added a project: Security.
epriestley added a subscriber: epriestley.

(This is resolved in HEAD, I'm just using this task as a public post / discussion if anyone has questions.)

arice added a subscriber: arice.Feb 24 2014, 1:13 AM
epriestley added a comment.Feb 24 2014, 2:12 AM

These issues were reported to us via HackerOne, the original reports will be available here once the issues are disclosed on that platform:

We also fixed this lower-priority issue recently:

Phabricator · Built by Phacility