- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 05.08.2024
Last edited by cbay - 05.08.2024
FS#68 - *Title:*: Bypassing Email Address Restriction for Account Creation in (admin.alwaysdata.com)
*Title:*: Bypassing Email Address Restriction for Account Creation
*Description:*
The ban on an email can be bypassed
An example is the following e-mail address: "admin@alwaysdata.com"
*Steps to Reproduce:*
1. Attempt to create an account using a blocked email address. The system will display a message stating that the email address is blocked and prevent account creation.
2. Create an account using a different email address.
3. Once the account is successfully created, navigate to the account settings.
4. Change the email address of the account to the previously blocked email address.
5. Save the changes. The email address will be updated to the blocked one, bypassing the initial restriction.
*Impact:*
This issue allows users to circumvent email address restrictions.
*Recommendation:*
Implement server-side checks to ensure that email address restrictions are enforced consistently across all account management functionalities. Additionally, review the email update process to prevent such bypasses.
*POC:*
poc1: https://admin.alwaysdata.com/support/77431/375912-poc.22.png poc2: https://admin.alwaysdata.com/support/77431/375911-bandicam%202024-08-05%2009-36-57-769.mp4
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's not a security vulnerability. Email banning is fragile by definition, it's not supposed to be bulletproof at all.
Kind regards,
Cyril
Hi,
I have some additional information
Title: Bypassing account Blocking
I hope you help me prove the concept.
I hope that you change the status of the report from general to private because I want to send personal information
Bypassing profile creation restrictions is:
Not "Bypassing profile creation restrictions"
But retrieving an account that was block on the site
I think there's a difference between them.
So that's a different issue, please open a new report.