Opened 9 years ago

Closed 3 years ago

#2521 closed defect (wontfix)

Weather shouldn't use the confirm_auth string in the URL of the /pending/ page

Reported by: kaner Owned by: kaner
Priority: Medium Milestone:
Component: Metrics/Tor Weather Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently Weather forwards a newly subscribed user to the /pending/ page, passing on the confirm_auth string in the URL. This is a bad idea from a security point of view. Nicolas Pouillard reported this issue (thanks!). It is currently worked around in the live version of Weather.

A real fix might need a redesign of some parts or workflows in Weather.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by Michanek

I just used this flaw to manage several subscriptions that I otherwise couldn't have accessed.
Thanks for the tip :-)

I have control over the email address but no longer access to the original confirmation messages with the URLs for updating and unsubscribing. If this is fixed there have to be a way to resend the correct URLs to the subscribers email address.

comment:2 Changed 3 years ago by karsten

Resolution: wontfix
Status: newclosed

Tor Weather has been discontinued as of May 24, 2016: https://lists.torproject.org/pipermail/tor-relays/2016-June/009424.html. Batch-closing all remaining tickets as announced in #19382. A list of these tickets and any other Weather tickets modified after June 26, 2016 will be available here: https://trac.torproject.org/projects/tor/query?changetime=Jun+27%2C+2016..&component=^Metrics%2FTor+Weather

Note: See TracTickets for help on using tickets.