One of my sites allowed a new user (a spammer, of course) to register and start posting content under the 'authenticated user' role a few days ago, even though my user settings were configured to require admin approval of all new accounts.
My logs indicate that the user was approved immediately (because the user started posting new content nearly immediately), and no other user (including admin accounts) were logged in to the system between the user's registration and first posting - so I don't think that the user was able to approve the new account by spoofing one of the admin accounts' session ids, or by logging in as an admin, approving the account, etc. (I think the latter is an unlikely scenario).
The spam module caught the spammers' postings and prevented their appearance on the site.
My question: how could a user register and gain access to the authenticated user role when new accounts require admin approval? Does anybody know of an exploit or flaw that allows such
I had the invite module enabled (I've disabled it since) and the LoginToboggan module as well. I've locked down the site to require all new accounts be created by an admin, in order to prevent such nonsense while I sort out the problem.
Any ideas?
Drupal version: 4.7
Modules of interest: Invite, LoginToboggan
Comments
Drupal security announcement for LoginToboggan
You may already know this by now, but DRUPAL-SA-2007-016 covers a XSS exploit for LoginToboggan.
From the security announcement:
Yes, saw that, but it's not
Yes, saw that, but it's not related, as far as I can tell.
Michael Curry
Drupal and Windows Tips