Page MenuHomePhabricator

Security Advisory: Bypass of `auth.email-domains`
Closed, ResolvedPublic

Description

We've recently fixed several issues which allowed an attacker to bypass the auth.email-domains setting and register an account without controlling a valid email address.

You are vulnerable if: you have at least one registration-enabled auth provider which an attacker could register an account on (like email, Google, or Facebook, but usually not LDAP); you rely on auth.email-domains to restrict registrations; and you have disabled the administrative approval queue.

Even if you are not vulnerable, the fixes for these issues harden Phabricator against attacks of this class, and all installs are advised to upgrade.

If you don't want to upgrade immediately, a workaround is to enable the approval queue (auth.require-approval) and manually approve registrations until you have a chance to upgrade.

Event Timeline

epriestley updated the task description. (Show Details)
epriestley raised the priority of this task from to High.
epriestley claimed this task.
epriestley added a project: Security.
epriestley closed this task as Resolved.
epriestley added a subscriber: epriestley.

(This is resolved in HEAD, I'm just using this task as a public post / discussion if anyone has questions.)

arice added a subscriber: arice.Feb 24 2014, 1:13 AM

These issues were reported to us via HackerOne, the original reports will be available here once the issues are disclosed on that platform:

We also fixed this lower-priority issue recently: