[Owasp-board] Security Issue with OWASP Mailing Lists?

Josh Sokol josh.sokol at owasp.org
Fri Dec 20 15:45:07 UTC 2013


I haven't validated this, mostly because of the impact to a running
production system, but it was reported to me by someone I trust:

So I'm signed up for the owasp website on both my work and personal emails.
> The email that they sent out today I checked out the unsubscribe buttons at
> the bottom of each.
>
> http://cts.vresp.com/u?1adcea04a0/a0c49a89d9/mlpftw
> http://cts.vresp.com/u?1adcea04a0/111d892466/mlpftw
>
> It doesn't pull up any of your information, it just flat out removes you
> from the mailing list.
>
> I tried a few random numbers in place of the obvious parameter... they all
> gave me "you have been unsuscribed" page.
> And I discovered that even going to  http://cts.vresp.com/u?1adcea04a0gives you the same page.
>
> So you can't tell if you actually unsubscribed from the emails or not....
> But you could blindly iterate through 10 digit alpha numeric codes and hope
> you unsubscribe everyone :p
>

 We should probably have Matt take a look at this when he gets some spare
cycles.

~josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131220/5b2c7216/attachment.html>


More information about the Owasp-board mailing list