Search Again: Re: Security Issue From: Mike Bacher Date: Saturday, January 11, 2003 Time: 5:04:27 pm At 06:47 PM 1/11/2003 -0600, you wrote: >Mike; > >How did you end up with this scenario in your system? an import? Nope. I actually noticed it when I was testing the password retrieval feature and decided to see what would happen if the customer that was requesting the password retrieval had no E-mail addresses/Override E-mail on file. Try it, you'll see what I'm talking about. >I just tried to set my system up to test your scenario and am unable to do >so. When I try to create an e-mail login for customer B that matches an >existing login for customer A, OG barks at me saying the login is not >unique and will not create the e-mail. No.. don't create duplicate E-mail addresses. I'm talking about the Login on the Customer Info page, e.g. their Dial-Up login. >When I try to create a new customer with a login used by another >customer's additional e-mail, OG barks and says that it is already in use >(and by who), also refusing to create the new customer. Do you have OG set to auto create the first E-mail addy that matches the customer's Login name by chance? >So, while I think that it is possible for someone to be so dense as to >request a password to be e-mailed to them when they have no e-mail in your >system, at least Optigold will not allow you to create the scenario you >have described (unless there is some bizarre preference setting somewhere >I don't want to know about because having duplicate logins would be a BAD >thing). See above. It can be exploited, I've tested it several times now. Granted, it is highly unlikely someone will do so, but my point is that OG should not be making the assumption it is making when the customer has no E-mail addresses on file. --Mike --------------------------------------------------- To subscribe, unsubscribe or to search list archive please visit http://www.optigold.com/lists/isp.html ---------------------------------------------------

Messages In This Thread: Security issue by Eivind Ravndal on Apr 29, 2002 at 8:19:48 am Re: Security issue by Shawn Hogan on Apr 30, 2002 at 10:26:09 pm Security Issue by Mike Bacher on Jan 11, 2003 at 10:24:13 am Re: Security Issue by Shawn Hogan on Jan 11, 2003 at 11:13:42 am Re: Security Issue by Mike Bacher on Jan 11, 2003 at 11:58:41 am Re: Security Issue by Shawn Hogan on Jan 11, 2003 at 12:22:56 pm Re: Security Issue by Mike Bacher on Jan 11, 2003 at 1:21:07 pm Re: Security Issue by Jeff Folk on Jan 11, 2003 at 4:47:30 pm Re: Security Issue by Mike Bacher on Jan 11, 2003 at 5:04:27 pm Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:06:19 pm Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:21:09 pm Re: Security Issue by Jeff Folk on Jan 11, 2003 at 5:31:59 pm Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:27:39 pm Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:31:18 pm Re: Security Issue by Mike Bacher on Jan 11, 2003 at 9:32:49 pm Re: Security Issue by Jeff Folk on Jan 12, 2003 at 7:19:23 am Re: Security Issue by Mike Bacher on Jan 12, 2003 at 10:07:22 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:37:39 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:38:48 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:40:21 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:43:01 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:45:48 am Re: Security Issue by Shawn Hogan on Jan 12, 2003 at 10:47:52 am Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:04:49 pm Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:07:58 pm Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:10:49 pm Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:16:48 pm Re: Security Issue by Mike Bacher on Jan 12, 2003 at 1:21:23 pm Re: Security Issue by Matthew Bailey on Jan 12, 2003 at 4:07:28 pm Re: Security Issue by Bryan Kroger on Jan 13, 2003 at 9:23:23 am Re: Security Issue by Mike Bacher on Jan 13, 2003 at 11:39:54 am Re: Security Issue by customers1st@yeipost-netsolution.net on Jan 13, 2003 at 11:52:15 am Re: Security Issue by Bryan Kroger on Jan 13, 2003 at 12:00:47 pm Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:02:19 pm Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:07:51 pm Re: Security Issue by Shawn Hogan on Jan 13, 2003 at 12:11:54 pm Re: Security Issue by Matthew Bailey on Jan 13, 2003 at 12:27:50 pm Re: Security Issue by Mike Bacher on Jan 13, 2003 at 12:46:53 pm Re: Security Issue by Mike Bacher on Jan 13, 2003 at 12:47:26 pm Re: Security Issue by Fernando Huerta =?iso-8859-1?Q?Zu=F1iga?= on Jan 13, 2003 at 1:52:09 pm