Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9772

Under some circumstances, email addresses are shown to undesired users

    XMLWordPrintable

Details

    Description

      If "users send e-mail via board" is disabled (in email settings), all users can see email addresses (and even send email), even those who have the "send email" permission disabled.

      This can represent a security hole, because email addresses are shown even to guest users no matter how you set the permissions of the anonymous user.

      This is because the email icon is shown to everybody. This isn't a problem if email is performed through the board, because the permission violation is caught later. But, if it's not done through the board, all users can send email.

      The fix for this problem is explained in this thread:

      http://www.phpbb.com/community/viewtopic.php?f=71&t=2100748

      Attachments

        Activity

          People

            A_Jelly_Doughnut A_Jelly_Doughnut [X] (Inactive)
            outofsync outofsync [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: