Friday 13 February 2009 5:50:35 am
Could you please post an issue in the bug tracker, tagged as 'security issue' and add as much information as possible in there (it will be kept private)?
If your analysis is correct, an attacker somehow managed to change an existing user email/password, but not to activate it by clicking on the correct activation code. This means that either he did not received the email with the validation code because your site is configured not to send those emails, or because the action of modifying the users config did not trigger a generation of a new user-activation key... It would especially be interesting to get the access logs of the server. Plus the eZP version you are running, of course, and any configuration details.
Principal Consultant International Business
Member of the Community Project Board
|