It's sort of a convenience feature, mostly to let users go directly to
the openSRS system (manage.opensrs.net) to change their information, so
users login into the system from whatever RSP the local OpenSRS.conf point
to, but since there are no paid features in that CGI, it's basically
harmless. Of course, you should be careful when modifying that CGI - if
you don't have an additional authentication system on your site.
Vlad
On Mon, 20 Nov 2000, A. I. Sinclair wrote:
> A difference in RSP scripts vs Domain Direct scripts was previously raised
> and addressed.
>
> I stumbled across another which may or may not be regarded as a security
> issue, but I know I am not too comfortable with it.
>
> In essence a user with a domain registered with Tucows through an RSP, can
> use another RSP's site to log into the system and maintain their domain.
>
> So although someone is not your customer, they can still log into your site
> hmmmm.....
>
> By contrast a user, cannot log into Domain Direct. However, I am not sure if
> the reverse is possible, i.e. if a user who registered with Domain Direct
> can log into an RSP's site.
>
> Of course I did not try any hanky-panky and not sure if it is even possible,
> but then there are those (and I don't mean RSP's) who might get up to some
> mischief.
>
> ais
>
>
