Fixed bug

Open gerbsec opened this issue 4 years ago • 0 comments

So, as it is right now you are able to verify a user by bypassing the domain name restriction. As it tells user to verify you are able to simply bypass the @ split by using something like this:

Allowed domain: test.edu Exploit:

"[email protected]@"@mydomain.com

this input will bypass the test and all I have to do is run a nc listener on port 25 in a vps and I'll receive the connection with the code and verify. Fixed the issue using two methods, you can choose which one to implement.

Jan 25 '22 20:01 gerbsec