Vulnerability in Notify email

[Daretary]

Code Select Expand

$txt['msg_quote_body'] = 'Hello {MEMBERNAME},

You have been quoted in the post titled "{CONTENTSUBJECT}" by {QUOTENAME}, you can see the post here:
{CONTENTLINK}

{REGARDS}';
QUOTENAME is not a Name, but a Username! That is, everyone sees my secret login!

Code Select Expand

$replacements = array(
                    'CONTENTSUBJECT' => $msgOptions['subject'],
                    'QUOTENAME' => $posterOptions['name'],
                    'MEMBERNAME' => $member_data['real_name'],
                    'CONTENTLINK' => $scripturl . '?msg=' . $msgOptions['id'],
                );
Must show real_name.

[Daretary]

For example, everything is fine here - shows Name in {POSTERNAME}

Code Select Expand

$txt['alert_unapproved_reply_body'] = 'A reply has been posted in \'{SUBJECT}\' by {POSTERNAME}.

You can see it at
{LINK}

{REGARDS}';


[Aleksi "Lex" Kilpinen]

Have not confirmed, do not have time to check right now - but if true, qualifies as a bug, so moved to bug reports.

[DeadMan...]

Even the notes in the file claims to use username.
However, it could be more a typo there than actual name.

Code Select Expand

/**
@additional_params: msg_quote
CONTENTSUBJECT: The post subject.
QUOTENAME:  The user name for the member creating the quote
MEMBERNAME:  The user name for the member being quoted
CONTENTLINK:  The post's link
@description: A notification email sent to the members who've been quoted in a post
 */

[Aleksi "Lex" Kilpinen]

Definitely should be display name, not username. There shouldn't really be any need to use username publicly in any situation, only the user and admin need to know IMO.

[m4z]

I think I've reported this before. Will try to find it later (on mobile right now).

[shawnb61]

Confirmed, & logged here:
https://github.com/SimpleMachines/SMF/issues/7734

[Aleksi "Lex" Kilpinen]

Fix merged https://github.com/SimpleMachines/SMF/pull/7736