News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Vulnerability in Notify email

Started by Daretary, April 14, 2023, 12:22:38 AM

Previous topic - Next topic

Daretary

$txt['msg_quote_body'] = 'Hello {MEMBERNAME},

You have been quoted in the post titled "{CONTENTSUBJECT}" by {QUOTENAME}, you can see the post here:
{CONTENTLINK}

{REGARDS}';
QUOTENAME is not a Name, but a Username! That is, everyone sees my secret login!
$replacements = array(
                    'CONTENTSUBJECT' => $msgOptions['subject'],
                    'QUOTENAME' => $posterOptions['name'],
                    'MEMBERNAME' => $member_data['real_name'],
                    'CONTENTLINK' => $scripturl . '?msg=' . $msgOptions['id'],
                );
Must show real_name.

Daretary

For example, everything is fine here - shows Name in {POSTERNAME}
$txt['alert_unapproved_reply_body'] = 'A reply has been posted in \'{SUBJECT}\' by {POSTERNAME}.

You can see it at
{LINK}

{REGARDS}';

Aleksi "Lex" Kilpinen

Have not confirmed, do not have time to check right now - but if true, qualifies as a bug, so moved to bug reports.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

DeadMan...

Even the notes in the file claims to use username.
However, it could be more a typo there than actual name.

/**
@additional_params: msg_quote
CONTENTSUBJECT: The post subject.
QUOTENAME:  The user name for the member creating the quote
MEMBERNAME:  The user name for the member being quoted
CONTENTLINK:  The post's link
@description: A notification email sent to the members who've been quoted in a post
 */
I tell it how I see it... Don't like it? Hit Alt+F4!

Aleksi "Lex" Kilpinen

Definitely should be display name, not username. There shouldn't really be any need to use username publicly in any situation, only the user and admin need to know IMO.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

m4z

I think I've reported this before. Will try to find it later (on mobile right now).
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

shawnb61

A question worth asking is born in experience & driven by necessity. - Fripp

Aleksi "Lex" Kilpinen

Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: