View Issue Details

IDProjectCategoryView StatusLast Update
0015337phpList 3 applicationSubscribe Processpublic01-11-12 14:51
Status resolvedResolutionduplicate 
Product Version2.10.10 
Target VersionFixed in Version2.11.8 
Summary0015337: The subscribe page lets anyone change anyone's details by "re-subscribing"
DescriptionYou can bypass the requirement to know your personal key ID in order to change preferences, if you just enter an existing e-mail address in the regulsr subscribe form.

True, it's only partial as you can't change selectable options, only adding to them. Obviously you also can't change your e-mail address (as the whole trick relies on using an existing one).

That is, anyone can enter your e-mail address and supply new text attributes. Suddenly you find your details contain a different name, town, etc.

But if you're listed in list #1 and list #2, if someone enters your e-mail address and lists you only in list #3, it makes you subscribe to #3 in addition to #1 and #2, not instead.
Additional InformationThe direct solution is not to allow entering an existing e-mail address in the subscribe page. Existing e-mail addresses should only be used in the preferences' page.

Alternatively, notify the admin about it (like what happens now) but actually let them decide - "someone entered an existing e-mail address in the subscribe page. The following changed (or not) attributes will NOT be approved, unless you click the following link." But this would require two attributes for each attribute - a current one and a waiting-to-be-confirmed one.
TagsNo tags attached.


duplicate of 0015557 resolvedmichiel When subscribing phpList doesn't check if user already exists and overwrites existing user data 
related to 0015320 resolvedmichiel Unsubscription should only be possible by a subscriber himself and not by a third person 



07-10-09 11:12

updater   ~0050752

Likewise for Unsubscription:


23-05-12 01:41

manager   ~0051588

fairly old, but probably still relevant issue. The main question I have is that if you re-subscribe, you do need to confirm this by clicking the link in the confirmation email.

So, in the remotely possible case that someone tries to mess around with someone else's email address, which for starters they will need to know, the "victim" is still informed, because they will receive the request for confirmation.