phpList / phplist3

Fully functional Open Source email marketing manager for creating, sending, integrating, and analysing email campaigns and newsletters.
https://www.phplist.org
GNU Affero General Public License v3.0
760 stars 271 forks source link

Unauthorized unsubscribing of anyone #966

Open kleozzy opened 1 year ago

kleozzy commented 1 year ago

Hello,

I am testing the latest build: 3.6.13 and i have noticed that by default you can just fill in the email of any subscriber in the unsubscribe form and unsub them, without them having to confirm or authorize this. I know there is a setting in config_extended.php to force users to provide a password but it forces you to create an account which i think its a bit much for a newsletter. I am also aware about the robots.txt fix for the spiders but in this case i am talking about a malicious actor unsubbing users knowingly.

Is there a way to confirm un-subscription the same way you confirm subscription ? via Email Link ?

michield commented 1 year ago

Well, phpList does send a final "goodbye email" for that purpose, to notify the user that they were unsubscribed. But yes, it can be used to prank people;

kleozzy commented 1 year ago

Isn't there a way to add confirmation email for unsubbing just like we have for subbing ?

Notification email is fine, and sure you can resub but nothing stops the attacker from unsubbing you again and again and again.

michield commented 1 year ago

I just want to make it as easy as possible to unsubscribe. If we like it or not, phpList is often used to send unsolicited emails, so unsubscribing should be a single action, provided the JUMPOFF is set. If there's a second action required, it will make people less happy. I've seen many cases where the "Goodbye email" was marked as spam, which is ironic.

Also, the admin gets informed about this action as well, so for smaller systems, where admins know most of their contacts they can keep an eye on it, and contact the subscriber saying "did you really want to do that? "

kleozzy commented 1 year ago

Could be an option for those who want to enforce it though right? Why force them to ether no action or create account, you can also add the in-between option of email confirmation and let the admin choose.

michield commented 1 year ago

Sure, happy to accept a Pull Request

michield commented 9 months ago

You can possibly also use https://resources.phplist.com/system/config/unsubscribe_requires_password