Security Flaw with Registration

  • Resolved jtcheng

    (@jtcheng)


    6 years, 5 months ago

    Hi,

    It seems like no matter what I’m doing in the Ultimate Member settings, I can’t seem to prevent a user from signing up with a bogus email and logging into the system (it gets re-directed to the profile page after signing up).

    I tried to force the user to click on an email activation link in order to login, but to my knowledge, the only option in settings that addresses this is in Settings->Email->Account Activation Email (gear icon)->Account Activation Email checked.

    So my questions are…
    1) How do I prevent the automatic re-direction to the profile page after signing up?
    2) How can I force the user to click on the email activation link to do first time log-in? The way it is right now, this doesn’t seem like a mandatory step even though the email gets sent, because he gets re-directed to the profile page as if he’s logged in (without needing this link).
    3) Is it possible to force unverified users to have Subscriber Role but verified and logged in users to have Author role?

    Is there something I’m missing?

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter jtcheng

    (@jtcheng)

    I should add…

    I was successfully able to create bogus users with the emails…
    [email protected]
    [email protected]
    [email protected]

    you get the idea

    Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @jtcheng,

    1. You can go to the Ultimate member -> User roles -> your user role e.g. Member and change “Registration options – Action to be taken after registration”.

    2. You can force users to click on the activation links in the email by enabling email activation in your user role settings “Registration Status – Require email activation”.

    3. Unfortunately, it’s not possible in the current version of the plugin.

    Regards.

    Thread Starter jtcheng

    (@jtcheng)

    Hi,

    I did your requested changes and am quite happy with how this turned out.

    Thank you!

    I do have a follow-up question regarding the forms…

    Does the plugin strip out any code tags when malicious users try to inject php code or some other script via the forms (regardless of whether it’s login, registration, profile editing, etc.)?

    Any test cases I can try this out on to make sure it’s robust to this kind of attack?

    Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @jtcheng,

    Yes, we filter out any code from the form fields.
    We’ve also double checked the possibility of various malicious attacks according to the development standards.

    Regards.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Flaw with Registration’ is closed to new replies.