Replies: 0
Hi Javier, thanks again for this great plugin.
I found a security issue when I do bulk import/update users.
In the Database I have this
testuser1,testuser1@hotmail.com,2020-09-30 23:59:59,
testuser2,testuser2@hotmail.com,2020-09-30 23:59:59,
testuser3,testuser3@hotmail.com,2020-09-30 23:59:59,
I have this CSV Data:
Username,Email,subscription_date,
testuser1,testuser1@mail.com,2024-09-30 23:59:59,
testuser2,testuser2@mail.com,2024-09-30 23:59:59,
testuser3,testuser3@mail.com,2024-09-30 23:59:59,
I do import with Update option “Never update passwords”
Result:
All usernames from CSV file found in DB got changed email and changed subscription_date.
In this way we can overwrite the email of existing user and we can steal the user account. Or by mistake change the owner of the account by giving another email. The new user will not be able to login coz password is not changed, but he can reset it.
The old user’s email (hotmail.com) will receive email saying:
Your email was changed, please contact admin if you didn’t change it.
I found in the code you can generate random usernames with prefix ‘user_id’ and tried empty usernames values when importing
CSV Data:
Username,Email,subscription_date,
,testuser1@mail.com,2024-09-30 23:59:59,
,testuser2@mail.com,2024-09-30 23:59:59,
,testuser3@mail.com,2024-09-30 23:59:59,
I got 3 errors and nothing was imported
Row Username Email subscription_date
1 User already exists as:testuser1(in this CSV file is called:user_206325) testuser1@mail.com 2020-09-30 23:59:59
2 User already exists as:testuser2(in this CSV file is called:user_387688) testuser2@mail.com 2020-09-30 23:59:59
3 User already exists as:testuser3(in this CSV file is called:user_639511) testuser3@mail.com 2020-09-30 23:59:59
My question is what is your advice, how this can be solved in the easiest and the simplest way?
Option 1:
Maybe to show error when DB both couples (username and email) don’t match the CSV (username and email).
Option 2: (more efficient and useful for admin operators)
Add functionality to check CSV username/email and DB username/email have mismatched data. Then add random suffix to username if it’s already taken by other user and create it as new user. Not to overwrite old user by changing his email.
For example:
There is
username: testuser1 with email example@yahoo.com in the DB.
if I import testuser1 with testuser1@mail.com
The Plugin will generate new username with prefix desired username:
username: testuser1_43242 with email testuser1@mail.com
to prevent overwriting users’ emails.
I hope you can understand my case and my issue. If you have any questions, I will respond shortly.
Thanks, and I will donate to support your work on this plugin.