 |  |
Re: Security Issue
From: Jeff Folk
Date: Saturday, January 11, 2003
Time: 5:21:09 pm
On Saturday, January 11, 2003, at 07:03 PM, ISP List wrote:
> At 06:47 PM 1/11/2003 -0600, you wrote:
>> Mike;
>>
>> How did you end up with this scenario in your system? an import?
>
> Nope. I actually noticed it when I was testing the password retrieval
> feature and decided to see what would happen if the customer that was
> requesting the password retrieval had no E-mail addresses/Override
> E-mail on file. Try it, you'll see what I'm talking about.
>
>> I just tried to set my system up to test your scenario and am unable
>> to do so. When I try to create an e-mail login for customer B that
>> matches an existing login for customer A, OG barks at me saying the
>> login is not unique and will not create the e-mail.
>
> No.. don't create duplicate E-mail addresses. I'm talking about the
> Login on the Customer Info page, e.g. their Dial-Up login.
>
Yes, Optigold verifies that the login is in use by an e-mail service
created later when trying to create a new customer login. It is
possible to CHANGE the login of an existing customer to match the login
of another e-mail (Shawn, some more additional logic in the routine?).
But Optigold will not allow you to duplicate another customer's login.
Optigold also will not allow CHANGING an e-mail login already in use,
either by a dial-up login or an e-mail. These I have verified.
>> When I try to create a new customer with a login used by another
>> customer's additional e-mail, OG barks and says that it is already in
>> use (and by who), also refusing to create the new customer.
>
> Do you have OG set to auto create the first E-mail addy that matches
> the customer's Login name by chance?
>
Yes, but even with it turned off, using the proper procedures for
adding a customer or e-mail, Optigold refuses to allow me to shaft
myself.
>> So, while I think that it is possible for someone to be so dense as
>> to request a password to be e-mailed to them when they have no e-mail
>> in your system, at least Optigold will not allow you to create the
>> scenario you have described (unless there is some bizarre preference
>> setting somewhere I don't want to know about because having duplicate
>> logins would be a BAD thing).
>
> See above. It can be exploited, I've tested it several times now.
> Granted, it is highly unlikely someone will do so, but my point is
> that OG should not be making the assumption it is making when the
> customer has no E-mail addresses on file.
>
> --Mike
>
>
> ---------------------------------------------------
> To subscribe, unsubscribe or to search list archive
> please visit http://www.optigold.com/lists/isp.html
> ---------------------------------------------------
>
---------------------------------------------------
To subscribe, unsubscribe or to search list archive
please visit http://www.optigold.com/lists/isp.html
---------------------------------------------------
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696