0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"

Create

Capture

Maintain

Audience

View Issue Details [ Jump to Notes ]

[ Print ]

Project

Category

View Status

Date Submitted

Last Update

0015337

phplist

Subscribe Process

public

20-09-09 16:46

07-10-09 11:12

Reporter

lwc

Priority

normal

Severity

major

Reproducibility

always

Status

new

Resolution

open

Platform

OS Version

Product Version

2.10.10

Target Version

Fixed in Version

Summary

0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"

Description

You can bypass the requirement to know your personal key ID in order to change preferences, if you just enter an existing e-mail address in the regulsr subscribe form.

True, it's only partial as you can't change selectable options, only adding to them. Obviously you also can't change your e-mail address (as the whole trick relies on using an existing one).

That is, anyone can enter your e-mail address and supply new text attributes. Suddenly you find your details contain a different name, town, etc.

But if you're listed in list #1 and list #2, if someone enters your e-mail address and lists you only in list #3, it makes you subscribe to #3 in addition to #1 and #2, not instead.

Additional Information

The direct solution is not to allow entering an existing e-mail address in the subscribe page. Existing e-mail addresses should only be used in the preferences' page.

Alternatively, notify the admin about it (like what happens now) but actually let them decide - "someone entered an existing e-mail address in the subscribe page. The following changed (or not) attributes will NOT be approved, unless you click the following link." But this would require two attributes for each attribute - a current one and a waiting-to-be-confirmed one.

Notes
(0050752) lwc (reporter) 07-10-09 11:12	Likewise for Unsubscription: http://mantis.phplist.com/view.php?id=15320 [^]

Relationships