0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"

Create

Capture

Maintain

Audience

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0015337

[phplist] Subscribe Process

major

always

20-09-09 16:46

07-10-09 11:12

Reporter

lwc

View Status

public

Assigned To

Priority

normal

Resolution

open

Status

new

Product Version

2.10.10

Summary

0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"

Description

You can bypass the requirement to know your personal key ID in order to change preferences, if you just enter an existing e-mail address in the regulsr subscribe form.

True, it's only partial as you can't change selectable options, only adding to them. Obviously you also can't change your e-mail address (as the whole trick relies on using an existing one).

That is, anyone can enter your e-mail address and supply new text attributes. Suddenly you find your details contain a different name, town, etc.

But if you're listed in list #1 and list #2, if someone enters your e-mail address and lists you only in list #3, it makes you subscribe to #3 in addition to #1 and #2, not instead.

Additional Information

The direct solution is not to allow entering an existing e-mail address in the subscribe page. Existing e-mail addresses should only be used in the preferences' page.

Alternatively, notify the admin about it (like what happens now) but actually let them decide - "someone entered an existing e-mail address in the subscribe page. The following changed (or not) attributes will NOT be approved, unless you click the following link." But this would require two attributes for each attribute - a current one and a waiting-to-be-confirmed one.

Notes
(0050752) lwc (reporter) 07-10-09 11:12	Likewise for Unsubscription: http://mantis.phplist.com/view.php?id=15320 [^]

Relationships