Changing of other mail adresse easy

[thageleit]

My security specialist just has shown me how to overrule the double-opt-in or how to change other mail addresses.

If I have knowledge of a mailadress it seems very easy to manage those, as the "special code" needed just seems to be base64 coded (where the already mentioned cross-site-scripting also can be used to start jacascript code).

I hope that those security flaws are already known and in the works?
I'd really love to hear from the makers of this plugin about that.

I don't want to rule out that this has nothing to do with the plugin but a coincidence in my installation, but right now I am a little frightened if i use that plugin that I might be attackable.

[marisp]

Hello,

This is a known issue. We will fix it as soon as possible in the new plugin version.

[thageleit]

Great. Thanks for the info.

[marisp]

We've already fixed the issue with cross site scripting vulnerability. The new version will be available soon.

As to the email address change, we don't see a problem here. We don't think anybody would need or want to change someone's else subscription settings.

[thageleit]

Huh?
I don't understand the last answer you gave, since this seems to be the opposite of what you just wrote a few moments before.

Maybe this is a kind of misunderstanding. I was not asking for a feature to change a mailadress i do not own. I was asking for a way to prohibit changing a mailadress i do not own. Because that was, what my security expert easily could do (given he knows of an address in the list, which is in my view a not very unlikely situation with all the info people provide in bulletin boards end elsewhere.

He told me that was part of the base64-coding of the mailadress in the address-field.
If THAT has been changed, then I suppose that this security flaw is history, if not, i don't see why one would find it not important to fix that.

[marisp]

Sorry, I was not clear enough. I updated my reply above.

[thageleit]

You got me laughing out loud here.

I don't think anybody would need or want to use my mail addresses to send out spam to millions of users. But people do. I have to spend a lot of money and time getting rid of bounces and answers to that mails that have not been sent by me.

People aren't always good.
People might be just curious (and technically versatile at the same time - although not a lot of versatileness was needed here).

Maybe that is just me having seen a lot of things no one would have thought would happen. Maybe someone else also find that difficult to appreciate that this does not look like a problem. I don't know, ich can only speak for myself.

Maybe someone else here reads this thread and could add his opinion on that problem here, if he or she sees that as a possible problem or not. I'd love to hear opinions on that.

Nonetheless, thanks for the clarification.

[marisp]

Hi again,

I will probably agree with you but I still think this is a much smaller problem in comparison with the cross site scripting attack vulnerability. We found a solution but if it is implemented the old (current) unsubscribe links will not work. So, if a user clicks on the unsubscribe link in one of the older emails from you, that unsubscribe link will not work.

[thageleit]

Okay, in comparison - you're totally right.

Would it be an option for you to maybe make that an OPTION in this plugin? So that the ones wanting to remain everything as it is could just use the plugin and the ones being too picky about such issues could make a click in the setttings and use that a little bit more secure option (and then being aware, because there having been told) that the old links will not work anymore.

I could easily live with that.

If that would blow up the plugin too far, then OK. It is your plugin afterall.
But if this option would be easy to implement and maintain, then I'd be happy to see it in a future version.

With kind regards,
thomas.

[marisp]

Hello,

We've just released a new 2.10 version of the plugin where we changed the unsubscribe link. I updated the SVN so you will be able to download the new version soon.