[ mailman-Bugs-703941 ] Invited user can subscribe to any list (inc
private lists)
SourceForge.net
noreply at sourceforge.net
Fri Mar 14 17:03:34 EST 2003
Bugs item #703941, was opened at 2003-03-15 12:03
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103
Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Stuart Bishop (zenzen)
Assigned to: Nobody/Anonymous (nobody)
Summary: Invited user can subscribe to any list (inc private lists)
Initial Comment:
Currently, the Pending queue maintains no reference to
what mailing list a subscription request is for. This
is encoded in the URL, and isn't a security problem for
subscriptions. However, Invitations are a special sort
of subscription that bypasses the subscription approval
step if the user accepts the invitation. So if a user
munges the URL they are sent from
http://wherever/invited_list/123cookie to
http://whereever/private_list/123cookie, and goes to
that link, they are subscribed to the private list with
no notification to anyone.
Simple solution may be to set userdesc.invited to the
listname rather than just '1', and then when checking
for the invited flag make sure that someone is hacking
the system.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103
More information about the Mailman-coders
mailing list