atjiu pybbs Email Verification Improper Authorization Vulnerability

A critical vulnerability has been identified in atjiu pybbs versions through 6.0.0, specifically within the Email Verification Handler component. This vulnerability allows for improper authorization, as the application does not require immediate email verification during the registration process. Instead, verification is only mandated later when users upload an avatar. This oversight enables attackers to impersonate email owners and register multiple accounts without restriction.

Impact

Exploitation of this vulnerability could lead to unauthorized account registrations, allowing attackers to create accounts using the email addresses of others, potentially leading to further impersonation or abuse within the application.

Reproduction

To reproduce this vulnerability, register a new account on an atjiu pybbs instance running a vulnerable version. During the registration process, bypass the email verification step. After registration, upload an avatar to trigger the email verification requirement, which will not have been completed, allowing for continued use of the account without proper validation.

Remediation

Users are advised to update to the latest version of atjiu pybbs, where this vulnerability has been addressed.