Magento Forum

   
Guest can flood anyone’s mailbox by suscribing her to the newsletter
 
laProbeta
Member
 
Total Posts:  35
Joined:  2008-10-21
 

Simply repeating a POST to http://<yoursite>/magento/newsletter/subscriber/new/ with POST data “email=<victim>&#x40;<mail_domain>”. I’ve easily tested this with http://demo.magentocommerce.com/

Issue #9600 is about some newsletter subscription security problems like this, but issue tracker seems not to work!

In my opinion this could be acceptable once, but never if (1) we have a pending answer from <victim>&#x40;<mail_domain> to confirm subscription or if (2) <victim>&#x40;<mail_domain> corresponds to a client of the shop who has stated not to receive the newsletter.

Please, any good solution (not based on template masquerading or such) would be very appreciated! I’m trying to open a shop but antispam laws in my country and this error will force me to disable the newsletter.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Pixxa
Sr. Member
 
Total Posts:  275
Joined:  2008-10-23
 

is this still present?

 
Magento Community Magento Community
Magento Community
Magento Community
 
laProbeta
Member
 
Total Posts:  35
Joined:  2008-10-21
 

Yes, it’s still present with 1.3.2.1 version.

 
Magento Community Magento Community
Magento Community
Magento Community
 
laProbeta
Member
 
Total Posts:  35
Joined:  2008-10-21
 

Still present with 1.3.2.3 version, no progress on Issue #9600

 
Magento Community Magento Community
Magento Community
Magento Community
 
Adjustware
Guru
 
Avatar
Total Posts:  654
Joined:  2009-05-11
 

It’s really annoying

 
Magento Community Magento Community
Magento Community
Magento Community
 
laProbeta
Member
 
Total Posts:  35
Joined:  2008-10-21
 

Still occurring with 1.3.2.4 version…

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top