Bugs item #703941, was opened at 2003-03-14 20:03 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103 Category: security/privacy Group: 2.1 (stable)

Status: Closed Resolution: Fixed Priority: 8 Submitted By: Stuart Bishop (zenzen) Assigned to: Nobody/Anonymous (nobody) Summary: Invited user can subscribe to any list (inc private lists)

Initial Comment: Currently, the Pending queue maintains no reference to what mailing list a subscription request is for. This is encoded in the URL, and isn't a security problem for subscriptions. However, Invitations are a special sort of subscription that bypasses the subscription approval step if the user accepts the invitation. So if a user munges the URL they are sent from http://wherever/invited_list/123cookie to http://whereever/private_list/123cookie, and goes to that link, they are subscribed to the private list with no notification to anyone. Simple solution may be to set userdesc.invited to the listname rather than just '1', and then when checking for the invited flag make sure that someone is hacking the system. ----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw) Date: 2003-03-16 02:09

Message: Logged In: YES user_id=12800 Fixed! ---------------------------------------------------------------------- Comment By: Barry A. Warsaw (bwarsaw) Date: 2003-03-15 09:56 Message: Logged In: YES user_id=12800 Raising the priority so this must be fixed for 2.1.2 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103