Posted by Angelos on 11/03/05 14:42

Hello...
I wrote a simple subscribe script that when a user completes the
subscription form he gets added in the database and then he receives an
e-mail where he/she clicks on the follow link :

<a
href=www.mysite.com?confirm&subscribers_id=mysql_insert_id($rs_subscriber_id)>Confirm</a>

and gets added in the newsletter subscribers.

The problem with that is that you can easily exploit it... if you start
subscribing and then just copy pasting the above url with ascending ids.

Same happens with the unsubscribe.
<a
href=www.mysite.com?unsubscribe&subscribers_id=$row_subscriber_id>Unsubscribe</a>
Exploit: just use random subscriber_ids and start unsubscribing people.

But if that Number was encoded somehow and then decoded... it would solve
the proble... or at least the chances would be less.


Could you please help me ???
Please !!!
Thanks.

• Next in forum: Re: Newsletter Secure Subscribe/Unsubscribe
• Prev in forum: Re: Classes, don't follow.
• Thread view: Newsletter Secure Subscribe/Unsubscribe

[Reply to this message]