[Owasp-board] Security Issue with OWASP Mailing Lists?

Kate Hartmann kate.hartmann at owasp.org
Fri Dec 20 15:48:21 UTC 2013


I will forward this to the Vertical Response support team.  I'm sure they
will want to discuss the technical component.


On Fri, Dec 20, 2013 at 10:45 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I haven't validated this, mostly because of the impact to a running
> production system, but it was reported to me by someone I trust:
>
> So I'm signed up for the owasp website on both my work and personal
>> emails. The email that they sent out today I checked out the unsubscribe
>> buttons at the bottom of each.
>>
>> http://cts.vresp.com/u?1adcea04a0/a0c49a89d9/mlpftw
>> http://cts.vresp.com/u?1adcea04a0/111d892466/mlpftw
>>
>> It doesn't pull up any of your information, it just flat out removes you
>> from the mailing list.
>>
>> I tried a few random numbers in place of the obvious parameter... they
>> all gave me "you have been unsuscribed" page.
>> And I discovered that even going to  http://cts.vresp.com/u?1adcea04a0gives you the same page.
>>
>> So you can't tell if you actually unsubscribed from the emails or not....
>> But you could blindly iterate through 10 digit alpha numeric codes and hope
>> you unsubscribe everyone :p
>>
>
>  We should probably have Matt take a look at this when he gets some spare
> cycles.
>
> ~josh
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 


Kate Hartmann
kate.hartmann at owasp.org
+1 301-275-9403
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131220/1a0e419f/attachment.html>


More information about the Owasp-board mailing list