[Owasp-board] Security Issue with OWASP Mailing Lists?
josh.sokol at owasp.org
Fri Dec 20 15:45:07 UTC 2013
I haven't validated this, mostly because of the impact to a running
production system, but it was reported to me by someone I trust:
So I'm signed up for the owasp website on both my work and personal emails.
> The email that they sent out today I checked out the unsubscribe buttons at
> the bottom of each.
> It doesn't pull up any of your information, it just flat out removes you
> from the mailing list.
> I tried a few random numbers in place of the obvious parameter... they all
> gave me "you have been unsuscribed" page.
> And I discovered that even going to http://cts.vresp.com/u?1adcea04a0gives you the same page.
> So you can't tell if you actually unsubscribed from the emails or not....
> But you could blindly iterate through 10 digit alpha numeric codes and hope
> you unsubscribe everyone :p
We should probably have Matt take a look at this when he gets some spare
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board