 |  |
At 10:45 AM 1/12/2003 -0800, you wrote:
Re: Security Issue
From: Mike Bacher
Date: Sunday, January 12, 2003
Time: 1:16:48 pm
>ISP List wrote:
>
> > Can you do this:
> >
> > 1. Add a new customer named "tcis123"
> > 2. Do not add any E-mail addresses to the account nor an Override E-mail
> > address
> > 3. Go to your own account in OG (or someone elses) and add the E-mail
> > address "tcis123@yourdomain.com"
> > 4. Request a password retrieval as "tcis123" from the Customer Web
> Interface.
> > 5. Check your mail at tcis123@yourdomain.com and collect the password for
> > the "tcis123" customer.
> >
> > I can do this without OG ever complaining of duplicates, since in reality
> > there are none. I am never duplicating a login nor an E-mail address,
> > which are always treated as seperate entities in OG (as it should be).
>
>I *really* don't think that's the case for a couple reasons... the *only*
>field searched on when doing the password retrieval is the login field
>(emails under services and override email addresses are *not* searched). If
>a match is found, then it's only going to send to that customer's email.
Yes, but if that customer *has* no E-mail addresses, it sends to
login@maindomain.com. That is the problem I have been trying to convey
with this thread. IMHO it should produce an error, e.g. "Account has no
E-Mail address on file"
--Mike
---------------------------------------------------
To subscribe, unsubscribe or to search list archive
please visit http://www.optigold.com/lists/isp.html
---------------------------------------------------
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696