View Issue Details

IDProjectCategoryView StatusLast Update
0004753OXID eShop (all versions)4.04. Securitypublic2012-11-27 16:57
Reportertjungcl Assigned To 
Status resolvedResolutionfixed 
Product Version4.6.5 revision 49955 
Fixed in Version4.6.6 revision 54646 
Summary0004753: double opt-in can be fooled completly
Descriptionstarting from the reported bug 0004752 I went further:

The double-opt-in confirmation can easily be fooled completly, confirming ANY email!!

All you need is the oxuserid of the user.

You can get it from the users wishlist. The userid is the "wishid"/"owishid".

So, create a new user with the target-email-address. Put something to your wishlist and open the wishlist. look in the source for wishid. The value is the userid. Now type in : shopurl/?cl=newsletter&fnc=addme&uid=[the userid]

Another way to get the userid is to sent the newsletter-opt-in to another email-address, and then change the email back, as reported in 0004752

This is really serious. Currenty Double-Opt-In is not proof in oxid shops.

TagsNo tags attached.
PHP Versionany
Database Versionany


has duplicate 0004752 resolvedaurimas.gladutis double opt-in link reusable 



2012-11-27 16:57

reporter   ~0007999

Hi, thank you for your collaboration. We have added confirm key in newsletters confirmation. This should stop users from fooling newsletters activation.