this might not seem to be a problem, however, i think it is because it provides the opportunity for usermin users to find out what other usermin domains on on the server.
how to reproduce...
log into a valid usermin email account with wrong virtual server url (ie one that exists on the server, but does not belong to your domain).
usermin allows one to then log in to own account starting from the wrong virtual server URL.
for example...
Lets say the following are two domains on the server with email
adamapples.com (with usermin user adam@adamsapples.com)
nedsnitwits.com (with usermin user ned@nedsnitwits.com)
if ned enters the following in google browser...
adamsapples.com:20000 he is shown the login screen for Usermin as expected. (however remember this is adamsapples domain, not nedsnitwits domain!)
ned can then enter his email address and password and Usermin opens up in his own account in Usermin even though he originally started from the wrong URL!
I can appreciate that, if ned was enterring hostname.fqdn:20000 in browser this would work...thats understandable and no problem because it do not expose other domains on the server...but in this instance, that is not what i am doing..
Surely it should not do this?
For the sake of some level of obscurity, wouldnt it be better that Usermin checks the URL ned entered in google browser against information stored with adamsapples.com list for email addresses and password and, if they do not match an account on adamsapples virtual server, throws an error instead of automatically redirected to neds own account on nedsnitwits.com in Usermin?
Is this happening because of a coding error in Usermin, or is it related to the fact that i have accessed both accounts in my web browser? (which btw is still a problem anyway)