[Plugin: WP phpBB Bridge] Potential security risk if phpBB allowing multiple registrations on same e

  • When using phpbb-bridge and phpBB is set to allow multiple user registrations on the same e-mail address you run the risk of someone registering on an administrator or moderator’s e-mail address and gaining those privileges on WordPress.

    This problem does not exist in the default configuration of phpBB, it has to be set by the phpBB administrator for this to arise.

    For example, as the WordPress and phpBB administrator I wanted to have two user accounts – admin, and standard day-to-day – to use on my blog and forum. Since I didn’t want to be checking multiple e-mails for blog comments and forum posts I enabled User Registration Settings > Allow E-Mail Address Re-Use. I created my day-to-day account in phpBB’s registration system and logged into the forum. All was well as phpBB was treating me as a new user. When I went back to the blog I noticed that all the posts had an edit button on them and that the WordPress admin bar appeared (it even shows admin as my logged in name). phpBB was treating me as a new user and WordPress was treating me as the administrator.

    If a malicious user knew either an admin’s or moderator’s e-mail address this could pose a serious security issue.

    Until this can be addressed in phpbb-bridge, DO NOT SET PHPBB TO ALLOW E-MAIL ADDRESS RE-USE FOR USER REGISTRATIONS!.

Viewing 1 replies (of 1 total)

  • Cheers for the info mate. I don’t have the multiple email use thing set so I’m good but good to inform other people. Thanks

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: WP phpBB Bridge] Potential security risk if phpBB allowing multiple registrations on same e’ is closed to new replies.