Security Fix for E-mail Verification Bypass - huntr.dev

app/sprinkles/account/config/default.php

@@ -162,7 +162,18 @@
         'check_username_request' => null,
         'password_reset_request' => null,
         'registration_attempt'   => null,
-        'sign_in_attempt'        => null,
+        'sign_in_attempt'        => [
+            'method'   => 'ip',
+            'interval' => 3600,
+            'delays'   => [
+                4 => 5,
+                5 => 10,
+                6 => 20,
+                7 => 40,
+                8 => 80,
+                9 => 600,
+            ],
+        ],
         'verification_request'   => null,
     ],
 

app/sprinkles/account/locale/en_US/messages.php

@@ -39,6 +39,7 @@
             '@TRANSLATION'  => 'Account settings',
             'DESCRIPTION'   => 'Update your account settings, including email, name, and password.',
             'UPDATED'       => 'Account settings updated',
+            'NEW_EMAIL'     => 'A link to update your email has been sent to <strong>{{newEmail}}</strong>. Current email <strong>{{email}}</strong> will be used until you complete this step.',
         ],
 
         'TOOLS' => 'Account tools',

app/sprinkles/account/locale/es_ES/messages.php

@@ -39,6 +39,7 @@
             '@TRANSLATION' => 'Configuraciones de la cuenta',
             'DESCRIPTION'  => 'Actualiza la configuración de su cuenta, incluido el correo electrónico, el nombre y la contraseña.',
             'UPDATED'      => 'Configuración de la cuenta actualizada',
+            'NEW_EMAIL'     => 'Se ha enviado un enlace para actualizar tu correo electrónico a <strong>{{newEmail}}</strong>. El correo electrónico actual <strong>{{email}}</strong> será utilizado hasta que este paso sea completado.',
         ],
 
         'TOOLS' => 'Herramientas de la cuenta',

app/sprinkles/account/src/Controller/AccountController.php

@@ -29,6 +29,7 @@
 use UserFrosting\Support\Exception\BadRequestException;
 use UserFrosting\Support\Exception\ForbiddenException;
 use UserFrosting\Support\Exception\NotFoundException;
+use UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface;
 
 /**
  * Controller class for /account/* URLs.  Handles account-related activities, including login, registration, password recovery, and account settings.
@@ -1182,13 +1183,19 @@ public function setPassword(Request $request, Response $response, $args)
         /** @var \UserFrosting\Sprinkle\Account\Authenticate\Authenticator $authenticator */
         $authenticator = $this->ci->authenticator;
 
-        // Log out any existing user, and create a new session
-        if ($authenticator->check()) {
-            $authenticator->logout();
+        // Remove persistent sessions across all browsers/devices, and create a new session
+        $user = $passwordReset->user;
+
+        // Make sure logout will have a valid user
+        if (!$authenticator->check()) {
+            $authenticator->login($user);
         }
 
+        // Remove persistent sessions
+        $authenticator->logout(true);
+
         // Auto-login the user (without "remember me")
-        $user = $passwordReset->user;
+        // Create a new session
         $authenticator->login($user);
 
         $ms->addMessageTranslated('success', 'WELCOME', $user->export());
@@ -1277,10 +1284,26 @@ public function settings(Request $request, Response $response, $args)
         unset($data['passwordcheck']);
         unset($data['passwordc']);
 
-        // If new email was submitted, check that the email address is not in use
-        if (isset($data['email']) && $data['email'] != $currentUser->email && $classMapper->getClassMapping('user')::findUnique($data['email'], 'email')) {
-            $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
-            $error = true;
+        // If new email was submitted
+        if (isset($data['email']) && $data['email'] != $currentUser->email) {
+
+            // Check that the email address is not in use
+            if ($classMapper->getClassMapping('user')::findUnique($data['email'], 'email')) {
+                $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
+                $error = true;
+            } elseif ($this->ci->config['site.registration.require_email_verification']) {
+                // If email verification is configured
+
+                // Avoid setting email until verified
+                $data['newEmail'] = $data['email'];
+                unset($data['email']);
+
+                // Send verification email
+                $this->sendVerificationForNewEmail($currentUser, $data['newEmail']);
+
+                // Show verification message
+                $ms->addMessageTranslated('success', 'ACCOUNT.SETTINGS.NEW_EMAIL', $currentUser->toArray());
+            }
         }
 
         if ($error) {
@@ -1301,6 +1324,20 @@ public function settings(Request $request, Response $response, $args)
 
         $currentUser->save();
 
+        // If user changed his password, remove persistent sessions across all browsers/devices, and create a new session
+        if (isset($data['password'])) {
+
+            /** @var \UserFrosting\Sprinkle\Account\Authenticate\Authenticator $authenticator */
+            $authenticator = $this->ci->authenticator;
+
+            // Keep user to re-login after persistent session cleanup
+            $user = $currentUser;
+            $authenticator->logout(true);
+
+            // Auto-login the user (without "remember me")
+            $authenticator->login($user);
+        }
+
         // Create activity record
         $this->ci->userActivityLogger->info("User {$currentUser->user_name} updated their account settings.", [
             'type' => 'update_account_settings',
@@ -1405,4 +1442,28 @@ public function verify(Request $request, Response $response, $args)
         // Forward to login page
         return $response->withRedirect($loginPage);
     }
+
+    /**
+     * Send verification email for specified user on new email request.
+     *
+     * @param \UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface $user The user to send the email for
+     * @param String $newEmail The requested new email
+     */
+    protected function sendVerificationForNewEmail(UserInterface $user, String $newEmail)
+    {
+        // Try to generate a new verification request
+        $verification = $this->ci->repoVerification->create($user, $this->ci->config['verification.timeout']);
+
+        // Create and send verification email
+        $message = new TwigMailMessage($this->ci->view, 'mail/verify-new-email.html.twig');
+
+        $message->from($this->ci->config['address_book.admin'])
+                ->addEmailRecipient(new EmailRecipient($newEmail, $user->full_name))
+                ->addParams([
+                    'user'  => $user,
+                    'token' => $verification->getToken(),
+                ]);
+
+        $this->ci->mailer->send($message);
+    }
 }

app/sprinkles/account/src/Database/Migrations/v400/UsersTable.php

@@ -43,6 +43,7 @@ public function up()
                 $table->boolean('flag_enabled')->default(1)->comment('Set to 1 if the user account is currently enabled, 0 otherwise.  Disabled accounts cannot be logged in to, but they retain all of their data and settings.');
                 $table->integer('last_activity_id')->unsigned()->nullable()->comment('The id of the last activity performed by this user.');
                 $table->string('password', 255);
+                $table->string('newEmail', 254)->default('');
                 $table->softDeletes();
                 $table->timestamps();
 

app/sprinkles/account/src/Database/Models/User.php

@@ -70,6 +70,7 @@ class User extends Model implements UserInterface
         'last_activity_id',
         'password',
         'deleted_at',
+        'newEmail',
     ];
 
     /**

app/sprinkles/account/src/Repository/VerificationRepository.php

@@ -13,7 +13,7 @@
 use UserFrosting\Sprinkle\Account\Database\Models\Interfaces\UserInterface;
 
 /**
- * Token repository class for new account verifications.
+ * Token repository class for new account verifications and email change verifications.
  *
  * @author Alex Weissman (https://alexanderweissman.com)
  *
@@ -31,7 +31,15 @@ class VerificationRepository extends TokenRepository
      */
     protected function updateUser(UserInterface $user, $args)
     {
-        $user->flag_verified = 1;
+        // If this is email update verification
+        if ( $user->flag_verified && $user->newEmail !== "" ) {
+            // Update email and remove requested
+            $user->email = $user->newEmail;
+            $user->newEmail = "";
+        } else {
+            // New user verification
+            $user->flag_verified = 1;
+        }
         // TODO: generate user activity? or do this in controller?
         $user->save();
     }

app/sprinkles/account/templates/mail/verify-new-email.html.twig

@@ -0,0 +1,21 @@
+{% block subject %}
+    Hello {{user.first_name}} - please verify your new email for {{site.title}}
+{% endblock %}
+
+{% block body %}
+<p>Dear {{user.first_name}},
+</p>
+<p>
+You are receiving this email because you requested an email change at {{site.title}} ({{site.uri.public}}).
+</p>
+<p>
+You will need to verify your new email before change can be applied. Please follow the link below to verify your new email.
+</p>
+<p>
+<a href="{{site.uri.public}}/account/verify?token={{token}}">{{site.uri.public}}/account/verify?token={{token}}</a>
+</p>
+<p>
+With regards,<br>
+The {{site.title}} Team
+</p>
+{% endblock %}