Author Topic: major email subscription security flaw? (Read 2147 times)

chrism · September 23, 2008, 02:28:50 pm

I may be missing something, but just discovered today what seems like a major security flaw in email subscription pages:

Groups that have Mailing List unchecked, and access set to User and User Admin only, can still be accessed from subscription pages when gid=x is set.

The list are correctly omitted from the mailing list subscription listing when gid is not specified.

To recreate on the demo server:
(See the Administrator sign-up page)
http://drupal.demo.civicrm.org/civicrm/mailing/subscribe?reset=1&gid=1
(but then on the list overall the Administrator page does not show up)
http://drupal.demo.civicrm.org/civicrm/mailing/subscribe?reset=1

It doesn't look like emails are actually being added to the lists, but isn't it the case that they shouldn't show up if access is set to User and User Admin?

Further, I don't seem to be able to successfully sign-up to a mailing list, even when I am supposed to be able. When I submit the form at
http://drupal.demo.civicrm.org/civicrm/mailing/subscribe?reset=1
with one or more of the Public lists checked I would expect the contact to show up with pending status.

Chris

Donald Lobo · September 23, 2008, 04:54:50 pm

hey chris:

can u file an issue for the first one, and we'll take care of it in the next 2.1 release

lobo

chrism · September 23, 2008, 05:41:42 pm

done: http://issues.civicrm.org/jira/browse/CRM-3603

C

CiviCRM Community Forums (archive)

News:

Author Topic: major email subscription security flaw? (Read 2147 times)

chrism

major email subscription security flaw?

Donald Lobo

Re: major email subscription security flaw?

chrism

Re: major email subscription security flaw?