Partial fix Manual approval queue bypass

[Xon]

Affected version

2.2.7

The manual approval queue can be bypassed if any form of spam detection is used when email confirmation is enabled, and manual approval is used.

The process is;

1. An admin enables the flags;
   • Enable registration
   • Enable email confirmation
   • Enable manual approval
2. A user signs up, and a spam provider reports they should be moderated
   • The user is added to the approval queue, skipping email confirmation
   • The user is in a "moderate" state
3. The user changes their email address
   • The user is removed from the approval queue, and an edit confirmation email is sent.
   • The user is in a "email_confirm_edit" state
4. The user confirms their email
   • The user is now in a "valid" state.
   • There is are no user change logs generated

The behaviour exists because of the function XF\Service\User\EmailConfirmation::advanceUserState function;

protected function advanceUserState()
{
   $user = $this->user;

   switch ($user->user_state)
   {
      case 'email_confirm':
         if ($this->app->options()->registrationSetup['moderation'])
         {
            $user->user_state = 'moderated';
            break;
         }
      // otherwise, fall through

      case 'email_confirm_edit': // this is a user editing email, never send back to moderation
      case 'moderated':
         $user->user_state = 'valid';
         break;
   }
}

The only true solution is to consult the user change log for the previous user_state to determine what the user should go back to*. Another problem is not all user_state changes are recorded when a user is made valid or moderated as the result of email confirmation.

*User state changes related to signup/approvals probably need to be protected from being purged.

 

[PaulB]

The solution is to avoid creating a user record or accepting any additional registration information until the user has confirmed their email address. It makes no sense to run denylist and spam checks until that happens.

The current system also allows enumeration of emails, and it makes it easier for people to try various banned email addresses until they find one that isn’t banned, since they don’t have to confirm each time. It also permits nefarious actors to pollute denylists with impersonated email addresses, and it allows them to exhaust API credits for paid spam mitigation services.

 

[Xon]

This behaviour doesn't even require a spam configuration provider. The stock "Manually approve registration if user shares IP used by a banned or rejected user in last" option will allow this bug to be triggered in it's stock configuration.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.8).

Change log:

Workaround an issue that could allow certain registration moderation requirements to be bypassed.

There may be a delay before changes are rolled out to the XenForo Community.

 

[Chris D]

Certainly some valid feedback and suggestions here but, for now, the workaround is much simpler.

I know there are potentially other scenarios related to this code and the progression of user states where historical changes should be considered and they are valid but they should probably be part of a larger re-design of that area of the code and some careful consideration above and beyond what is appropriate for a bug fix release.

If there isn't already a suggestion, please make one, or add to it if needed but it is very much in our minds.

In this particular case the issue pertains to being able to bypass the moderated state by changing your email address. From 2.2.8 this won't be possible as it will no longer be possible to change your email address while in the moderated state.

Once the spammy user has been approved it will still skip email confirmation but they shouldn't be able to escape from the moderated state without manual oversight from a moderator.