[ mailman-Bugs-703941 ] Invited user can subscribe to any list (inc private lists)

SourceForge.net noreply at sourceforge.net
Sat Mar 15 23:09:37 EST 2003


Bugs item #703941, was opened at 2003-03-14 20:03
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103

Category: security/privacy
Group: 2.1 (stable)
>Status: Closed
>Resolution: Fixed
Priority: 8
Submitted By: Stuart Bishop (zenzen)
Assigned to: Nobody/Anonymous (nobody)
Summary: Invited user can subscribe to any list (inc private lists)

Initial Comment:
Currently, the Pending queue maintains no reference to
what mailing list a subscription request is for. This
is encoded in the URL, and isn't a security problem for
subscriptions. However, Invitations are a special sort
of subscription that bypasses the subscription approval
step if the user accepts the invitation. So if a user
munges the URL they are sent from
http://wherever/invited_list/123cookie to
http://whereever/private_list/123cookie, and goes to
that link, they are subscribed to the private list with
no notification to anyone.

Simple solution may be to set userdesc.invited to the
listname rather than just '1', and then when checking
for the invited flag make sure that someone is hacking
the system.

----------------------------------------------------------------------

>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2003-03-16 02:09

Message:
Logged In: YES 
user_id=12800

Fixed!

----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2003-03-15 09:56

Message:
Logged In: YES 
user_id=12800

Raising the priority so this must be fixed for 2.1.2

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=703941&group_id=103



More information about the Mailman-coders mailing list