View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004753 | OXID eShop (all versions) | 4.04. Security | public | 2012-11-27 13:50 | 2012-11-27 16:57 |
| Reporter | tjungcl | Assigned To | |||
| Priority | urgent | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.6.5 revision 49955 | ||||
| Fixed in Version | 4.6.6 revision 54646 | ||||
| Summary | 0004753: double opt-in can be fooled completly | ||||
| Description | starting from the reported bug 0004752 I went further: The double-opt-in confirmation can easily be fooled completly, confirming ANY email!! All you need is the oxuserid of the user. You can get it from the users wishlist. The userid is the "wishid"/"owishid". So, create a new user with the target-email-address. Put something to your wishlist and open the wishlist. look in the source for wishid. The value is the userid. Now type in : shopurl/?cl=newsletter&fnc=addme&uid=[the userid] Another way to get the userid is to sent the newsletter-opt-in to another email-address, and then change the email back, as reported in 0004752 This is really serious. Currenty Double-Opt-In is not proof in oxid shops. | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| has duplicate | 0004752 | resolved | aurimas.gladutis | double opt-in link reusable |
