View Issue Details

IDProjectCategoryView StatusLast Update
0004753OXID eShop (all versions)4.04. Securitypublic2012-11-27 16:57
Reportertjungcl 
PriorityurgentSeveritycriticalReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.6.5 revision 49955 
Target VersionFixed in Version4.6.6 revision 54646 
Summary0004753: double opt-in can be fooled completly
Descriptionstarting from the reported bug 0004752 I went further:

The double-opt-in confirmation can easily be fooled completly, confirming ANY email!!

All you need is the oxuserid of the user.

You can get it from the users wishlist. The userid is the "wishid"/"owishid".

So, create a new user with the target-email-address. Put something to your wishlist and open the wishlist. look in the source for wishid. The value is the userid. Now type in : shopurl/?cl=newsletter&fnc=addme&uid=[the userid]

Another way to get the userid is to sent the newsletter-opt-in to another email-address, and then change the email back, as reported in 0004752


This is really serious. Currenty Double-Opt-In is not proof in oxid shops.





TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Relationships

has duplicate 0004752 resolvedaurimas.gladutis double opt-in link reusable 

Activities

aurimas.gladutis

2012-11-27 16:57

reporter   ~0007999

Hi, thank you for your collaboration. We have added confirm key in newsletters confirmation. This should stop users from fooling newsletters activation.