[Fix] e-mail verification bypass

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/3-packagist-userfrosting%2Fuserfrosting

⚙️ Description *

UserFrosting is following strict email verification but can be bypassed by changing email in account settings.

Bypass is fixed by requiring verification before updating to new email.

💻 Technical Description *

Existent verification mecanism was extended to handle email address change. If mail-verification is enabled in settings, acount settings update will store newEmail as a request and send an email with link for verification, after link is open by new email owner settings will be updated to new email.

🐛 Proof of Concept (PoC) *

1. Setup UserFrosting repo
2. Create a user using valid email
3. Verify new acount by following verification link
4. Log in and go to My Account
   5 Change the email and save
5. New email will be enabled without verification
6. Now you can login with unverified email

🔥 Proof of Fix (PoF) *

After fix verification email is sent to requested address and account information won't be updated untill verification is completed:

To verify follow received link:

After verification new email can be used, account information is updated:

👍 User Acceptance Testing (UAT)

e-mail can be updated using verification and application works normally

[Mik317]

LGTM 😄 🍰

Cheers,
Mik

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord