View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015337||phpList 3 application||Subscribe Process||public||20-09-09 17:46||01-11-12 14:51|
|Target Version||Fixed in Version||2.11.8|
|Summary||0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"|
|Description||You can bypass the requirement to know your personal key ID in order to change preferences, if you just enter an existing e-mail address in the regulsr subscribe form.|
True, it's only partial as you can't change selectable options, only adding to them. Obviously you also can't change your e-mail address (as the whole trick relies on using an existing one).
That is, anyone can enter your e-mail address and supply new text attributes. Suddenly you find your details contain a different name, town, etc.
But if you're listed in list #1 and list #2, if someone enters your e-mail address and lists you only in list #3, it makes you subscribe to #3 in addition to #1 and #2, not instead.
|Additional Information||The direct solution is not to allow entering an existing e-mail address in the subscribe page. Existing e-mail addresses should only be used in the preferences' page.|
Alternatively, notify the admin about it (like what happens now) but actually let them decide - "someone entered an existing e-mail address in the subscribe page. The following changed (or not) attributes will NOT be approved, unless you click the following link." But this would require two attributes for each attribute - a current one and a waiting-to-be-confirmed one.
|Tags||No tags attached.|
||Likewise for Unsubscription: http://mantis.phplist.com/view.php?id=15320|
fairly old, but probably still relevant issue. The main question I have is that if you re-subscribe, you do need to confirm this by clicking the link in the confirmation email.
So, in the remotely possible case that someone tries to mess around with someone else's email address, which for starters they will need to know, the "victim" is still informed, because they will receive the request for confirmation.