| Anonymous | Login | Signup for a new account | 21-11-09 08:57 GMT |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0015320 | [phplist] Subscribe Process | feature | always | 11-08-09 11:11 | 13-11-09 20:57 | |||||||
| Reporter | Thorsten Albrecht | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | new | Product Version | 2.10.10 | |||||||||
| Summary | 0015320: Unsubscription should only be possible by a subscriber himself and not by a third person | |||||||||||
| Description |
It's possible to unsubscribe somebody else just with the knowledge of his email address (e.g. with mydomain.com/lists/?unsubscribe). One does not have to know his personal preference/unsubscribe link. The unsubscribed user is _immediately_ put on the blacklist which is probably not what he want's to. I think that this should not be possible. This is an inconsitent behaviour related to the procedure of suscribing where a confirmation mail is needed. Also, this is an security issue. Unsubscribing should only be possible using one's personal preference link which is normally included in every mailing or which can be sent to the user by mail upon request. If the unsubscribe process should be possible using the unsubscribe link as described above (without any userid), there should be sent a confirmation link to the user. This functionality should be provided without the need of enabling user passwords. Thorsten |
|||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
|
|
Notes |
|
|
(0050749) spiro (reporter) 06-10-09 19:17 |
I'm also experiencing this issue so wanted to add a bit more detail... The main issue here is that even with settings in config set to request a password from a user; define("ASKFORPASSWORD",1); define("UNSUBSCRIBE_REQUIRES_PASSWORD",1); When using the uid version of the unsubscribe url this almost works with the exception of the login screen presented without any css styling. Secondly and more importantly, only works properly providing a valid uid is parsed in via the unsubscribe url otherwise only an email unsubscribe form is presented allowing any email to be unsubscribed. For some reason the non uid or invalid uid with unsubscribe url is accessible in the form of an email only unsubscribe login when it doesn't seem to serve a purpose, i.e. it should at minimum check for the uid and not be available if the uid parsed in is not valid or not present. |
|
(0050750) spiro (reporter) 06-10-09 20:39 |
Done some more investigation and found that the setting of "The default subscribe page when there are multiple" in the PHPList configure screen has an effect on this issue. With my set up I don't have any subscribe pages, as im using a joomla addon which feeds into the PHPList tables. What I found is if I change the value in the configure page of the default subscribe page to 0 (zero), then although the default subscribe page stops working it also now only allows the unsubscribe page to be accessed if a valid unsubscribe url with valid uid is used. As I have the password variables set to 1 in the main config.php file as described in previous note, then this seems to now screen out unauthorised users from unsubscribing other emails. It's not a pretty fix but maybe a solution if you don't mind locking down new subscriptions whilst a solution is found and want to protect the existing users from being unsubscribed. It suits those that aren't using the PHPList subscribe page better who want to close down this loophole that mischievous users might try and exploit. |
|
(0050753) lwc (reporter) 07-10-09 11:12 |
Likewise for Subscription: Related to http://mantis.phplist.com/view.php?id=15337 [^] |
|
(0050779) rrrrob (reporter) 13-11-09 20:57 |
I just stumbled onto this report, my report is basically on the same issue http://mantis.phplist.com/view.php?id=15359 [^] |
