[TYPO3-dev] Double opt-in, user registration and confirmation links
Marcus Krause
marcus#exp2008 at t3sec.info
Thu Nov 6 01:46:05 CET 2008
Dears,
it has been brought to our attention that confirmation links find their
way to the internet and are then publicly available.
In general, confirmation links are used to provide double opt-ins for
services like user registration, subscriptions to newsletter/ad
campaigns, password retrieval etc..
By double opt-ins, users subscribe/register to a service with their
email addresses and then receive mails with a confirmation link. After
clicking on such link, the account will be activated.
We are aware of the fact that these confirmation links that are send by
email only, sneak out of the emails and get public e.g. publicly
available through the internet. We guess that certain search engine
services are responsible for this. Another reason might be the logging
of web server requests (confirmation links as referrer) and not securing
the access to server logs. In both cases, the web site admin and user of
such extension has limited possibilities to prevent such "disclosure".
Disclosure of confirmation links is a serious issue if they are not
getting invalid after clicking on them.
addressing extension developers:
* Please make sure that confirmation links consist of a random token!
* Please make sure that confirmation links get invalid after clicking on
them the one first time!
* In case you have questions on the implementation, don't hesitate to
contact the TYPO3 Security Team [1]!
addressing extension users:
* If you're using an extension that provides confirmation links, please
check if the link gets invalid!
* If confirmation links aren't implemented as one time tokens, please
contact the extension author and ask him to fix the extension! Please
use TYPO3 bugtracker (bugs.typo3.org) in the first place!
addressing others:
* Please spread this information!
The Typo3 Security Team would like to thank Gerwin Brill for bringing
this issue to our attention.
[1] http://typo3.org/teams/security/contact-us/
Regards,
Marcus Krause.
Member TYPO3 Security Team
More information about the TYPO3-dev
mailing list