Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-9772

Under some circumstances, email addresses are shown to undesired users

XMLWordPrintable

      If "users send e-mail via board" is disabled (in email settings), all users can see email addresses (and even send email), even those who have the "send email" permission disabled.

      This can represent a security hole, because email addresses are shown even to guest users no matter how you set the permissions of the anonymous user.

      This is because the email icon is shown to everybody. This isn't a problem if email is performed through the board, because the permission violation is caught later. But, if it's not done through the board, all users can send email.

      The fix for this problem is explained in this thread:

      http://www.phpbb.com/community/viewtopic.php?f=71&t=2100748

            A_Jelly_Doughnut A_Jelly_Doughnut
            outofsync outofsync [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: