Users can modify their profiles and pretend they're someone else #1266

New Issue

Closed

opened 2026-02-05 00:26:27 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 00:26:27 +03:00

Owner

Copy Link

Originally created by @Irrational-NX on GitHub (Jul 19, 2019).

Originally assigned to: @ssddanbrown on GitHub.

Describe the bug
Any user can impersonate anyone else on the wiki.
A user (attacker) register using his own mail address, email confirmation is activated so he click on the link in a mail he received. He can then change his First Name, Last Name, profile picture to make it seems he's someone else... That far it's fine because we can still see his mail address.
But then... the user can change his mail and no mail confirmation is sent.
Because of that, an attacker can also use a mail that doesn't exist. My mail contains an "l" but the attacker can replace it by an "I" ("i" uppercase).
Moreover, the domain restriction doesn't apply when changing mail. I think this is expected behavior but this is still a problem in my opinion.
Which means the user can say he's the CEO...

Steps To Reproduce
Steps to reproduce the behavior:

1. Register using an real mail address
2. Confirm Registration by clinking the link in the received mail
3. Change the mail of the user (the mail doesn't have to really exist) - no confirmation mail is sent
4. User can pretend his someone else

Expected behavior
When changing mail, a mail confirmation should be sent no matter what.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): BookStack v0.26.2
• PHP Version: v7.2.19
• Hosting Method (Nginx/Apache/Docker): Nginx on Ubuntu 18.04

Originally created by @Irrational-NX on GitHub (Jul 19, 2019). Originally assigned to: @ssddanbrown on GitHub. **Describe the bug** Any user can impersonate anyone else on the wiki. A user (attacker) register using his own mail address, email confirmation is activated so he click on the link in a mail he received. He can then change his First Name, Last Name, profile picture to make it seems he's someone else... That far it's fine because we can still see his mail address. But then... the user can change his mail and no mail confirmation is sent. Because of that, an attacker can also use a mail that doesn't exist. My mail contains an "l" but the attacker can replace it by an "I" ("i" uppercase). Moreover, the domain restriction doesn't apply when changing mail. I think this is expected behavior but this is still a problem in my opinion. Which means the user can say he's the CEO... **Steps To Reproduce** Steps to reproduce the behavior: 1. Register using an real mail address 2. Confirm Registration by clinking the link in the received mail 3. Change the mail of the user (the mail doesn't have to really exist) - no confirmation mail is sent 4. User can pretend his someone else **Expected behavior** When changing mail, a mail confirmation should be sent no matter what. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.26.2 - PHP Version: v7.2.19 - Hosting Method (Nginx/Apache/Docker): Nginx on Ubuntu 18.04

OVERLORD added the 🚀 Priority🔒 Security labels 2026-02-05 00:26:27 +03:00

OVERLORD closed this issue 2026-02-05 00:26:28 +03:00

OVERLORD commented 2026-02-05 00:26:34 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 7, 2019):

Thank you very much for raising @Irrational-NX. Sorry for my late reply, Have had limited time in the last few weeks.

I have just deployed v0.26.4 to update the behaviour so that only users with the "Manage Users" permission can update user email addresses. This keeps control with only those that are trusted.

We'll see in the future if self-managed & verified email changes are requested and look to implement if there's a call for it but I'd imagine it's probably an infrequent scenario in the real world.

I did think about taking this further to prevent impostering by updating user-names to show email address as a tooltip on hover but I quickly realised there are too many privacy concerns there, since we currently only show email address in very limited areas, so that would need extra controls therefore not a quick update to make.

Thanks again!

@ssddanbrown commented on GitHub (Aug 7, 2019): Thank you very much for raising @Irrational-NX. Sorry for my late reply, Have had limited time in the last few weeks. I have just deployed [v0.26.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.26.4) to update the behaviour so that only users with the "Manage Users" permission can update user email addresses. This keeps control with only those that are trusted. We'll see in the future if self-managed & verified email changes are requested and look to implement if there's a call for it but I'd imagine it's probably an infrequent scenario in the real world. I did think about taking this further to prevent impostering by updating user-names to show email address as a tooltip on hover but I quickly realised there are too many privacy concerns there, since we currently only show email address in very limited areas, so that would need extra controls therefore not a quick update to make. Thanks again!

OVERLORD commented 2026-02-05 00:26:36 +03:00

Author

Owner

Copy Link

@Irrational-NX commented on GitHub (Aug 7, 2019):

Thank you very much @ssddanbrown for fixing this!

I applied the new version this morning and can confirm this works as intended. :)

@Irrational-NX commented on GitHub (Aug 7, 2019): Thank you very much @ssddanbrown for fixing this! I applied the new version this morning and can confirm this works as intended. :)

OVERLORD commented 2026-02-05 00:26:39 +03:00

Author

Owner

Copy Link

@timptner commented on GitHub (Jun 5, 2025):

I'm coming late to the party - but your mentioned scenario is where I am right now. My users aren't able to change their email address after registration some time ago. I see that it's quite an uncommon case to update the personal email address but it does happen for example when people do have a work and private email. Most often they create a second account before thinking about contacting admins to request the edit of their account. I think it would be a useful feature to allow people to set a new (and not already in use) email address, which they need to verify again.

Would probably be the best to create a new issue as feature request but I'm interested in your opinion first. @ssddanbrown

@timptner commented on GitHub (Jun 5, 2025): I'm coming late to the party - but your mentioned scenario is where I am right now. My users aren't able to change their email address after registration some time ago. I see that it's quite an uncommon case to update the personal email address but it does happen for example when people do have a work and private email. Most often they create a second account before thinking about contacting admins to request the edit of their account. I think it would be a useful feature to allow people to set a new (and not already in use) email address, which they need to verify again. Would probably be the best to create a new issue as feature request but I'm interested in your opinion first. @ssddanbrown

OVERLORD commented 2026-02-05 00:26:45 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 5, 2025):

@timptner Feel free to start a new feature request for that, but I'd want to proven wider demand before adding another option for that, and it would have to be an option somehow (or via some even more complex approval system) since otherwise the original issue reported here would exist again.
Based upon your request being the only one I can remember since this original change, I'm not sure the demand will be there.

@ssddanbrown commented on GitHub (Jun 5, 2025): @timptner Feel free to start a new feature request for that, but I'd want to proven wider demand before adding another option for that, and it would have to be an option somehow (or via some even more complex approval system) since otherwise the original issue reported here would exist again. Based upon your request being the only one I can remember since this original change, I'm not sure the demand will be there.

OVERLORD referenced this issue 2026-02-05 01:00:30 +03:00

Get e-Mail notification if comment is posted or if a page has been updated? #1471

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

v26-03

ci_fixing

codeberg-actions

lexical_may_2026

MilnerMart/development

sort_rule_text

GamerClassN7/impersonations-for-admin

Zhey-on/feature/csp-image-css-controls-6033

tortillas5/development

clauvaldez/mfaReset

llm_only

vectors

McTom234/oidc-key-algorithms

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v26.03.4

v26.03.3

v26.03.2

v26.03.1

v26.03

v25.12.9

v25.12.8

v25.12.7

v25.12.6

v25.12.5

v25.12.4

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🔒 Security 🚀 Priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1266