View Issue Details

IDProjectCategoryView StatusLast Update
0015557phpList 3 applicationSubscribe Processpublic01-11-12 14:50
Reporterh2b2 Assigned To 
Status resolvedResolutionfixed 
Product Version2.10.10 
Fixed in Version2.11.8 
Summary0015557: When subscribing phpList doesn't check if user already exists and overwrites existing user data
DescriptionWhen someone subscribes, phpList doesn't check if user already exists and overwrites existing user data. This could be problematic in the following scenario, as described by jsp254:
=== Start quote ===
say a dad has registered with their family email address. he forgot to tell mom and she doesnt know. 4 days later, mom tries to register!!!

when she tries, it is supposed to pop up a message saying that email already exists, or already in database, or a similar message. it's not doing that.

so when mom completes the form, it changes all of the information in the database to what ever she put in.

so next week when dad gets his newsletter, i'm refering to him as nancy or judy!!!! see the problem?
=== End quote ===
Additional InformationCS2 suggests the following solution:
=== Start quote ===
I agree that this could be problematic. To prevent this, edit admin/subscribelib2.php. Search for the following text around line 160 (it will vary a bit depending on which version of PHPlist you're running):

        # they do exist, so update the existing record
        # read the current values to compare changes

Immediately below that, add these lines:
        if (isset($_GET['p']) && $_GET["p"] == "subscribe")
          $msg = "A user with that email already exists. Click <a href='".getConfig("preferencesurl").
                 "'>this link</a> if you wish to update your personal information.";

Basically, at the point we add the code, the script has already determined that this is an existing user. We're adding an additional check to determine if its the subscribe page. If it is, then we're informing the user that their email already exists in the database and providing them a link to the preferences page. I intentionally linked to the base preferences page without including their email or uniqid in order to force them to enter their email address again and a link to their preferences page will be emailed to them. This is a security measure against someone maliciously altering somebody else's information. However, you can make $msg be whatever you like. It will print the value of $msg to the screen and basically halt execution of the script, preventing the type of problem described by the original poster.
=== Start quote ===
TagsNo tags attached.


related to 0015487 resolvedmichiel Adding user with admin/?page=user does not check if the user is already in the database and then replace the old values 
has duplicate 0015337 resolvedmichiel The subscribe page lets anyone change anyone's details by "re-subscribing" 



01-11-12 14:50

administrator   ~0051831

added config SILENT_RESUBSCRIBE which can be set to false to change this behaviour