Re: Intel.com Mailing List Arbitrary Address Removal Link

["Ryan M Harris" <rmharris () acdinc net>]

Actually-

This is kind of funny, I reported this exact problem to them (grc.com) on
earlier in the week.

I got this response on Wednesday, the 6th:

    ....snip....

    It's not out of laziness or lack of concern or attention that we've
    deliberately chosen not to take any of the measures you've suggested -
it's
    just that we think it's overkill to put everyone through such measures
for
    something that's just not going to be much of a problem.

    As you probably know, *ANY* and *EVERY* message that's ever sent by this
    facility will contain a hyper link that takes the recipient directly to
    their own eMail database page where they can edit and/or delete their
    membership instantly.

    ....snip....

    We've been literally FLOODED with praise about the simplicity of
    the system which, we're sure, is due in part to the lack of passwords,
    hints, clues, confirmations, and the like.

Regards,


Ryan M Harris
ACD Incorporated
rmharris () acdinc net



----- Original Message -----
From: "Thierry Zoller" <support () sniff-em com>
To: <rdnktrk () hotmail com>
Cc: <bugtraq () securityfocus com>
Sent: Wednesday, February 06, 2002 4:17 PM
Subject: Re: Intel.com Mailing List Arbitrary Address Removal Link


> While Intel requires you to login to modify account information, it does
not
> require you to login to remove your e-mail (or any e-mail) from its mailing
> list database.

This issue is valuable for plenty of mailing lists, as example take the GRC
mailing list :

Exemple :
http://grc.com/mail.htm
(POST) therefor no direct link here. Enter whatever e-mail address and
select "delete membership".
As for moderation, I thought specific vulnerabilities (i.e intel.com is
vulnerable to etc) wouldn't be posted.

==
Thierry Zoller
http://www.sniff-em.com