不中用 Posted April 16, 2015 Posted April 16, 2015 . This little icon that you find everywhere on your board, in default setting, your board will allow GUESTS to send emails at random from your server .. This means : any sender email address can be used ( no restrictions, let your imagination work ( would be nice to hear some ideas!! ) drugs@forfree dot com ) "Subject" field can be changed in whatever ............... "Message" is a full editor .. links, pictures, .. spam can be send from your board without you knowing .. Because it is not really a bug .. the settings are there to change it easily .. but this is a serious vulnerability .. you open up your server to send out whatever malicious emails with your board logo/name on top .. your (mail) domain can be blacklisted in no time without you even know what happened .. there is no log or anything .. Other member groups, besides "guests", use the proper member/account email. I've checked a few websites here on the IPS (signature links) and many forgot about this one .. it should be set properly .. ASAP. System > Sharing Change to : .
tAPir Posted April 16, 2015 Posted April 16, 2015 Thanks for spotting this. I hadn't even realized that guests could do anything by default.
不中用 Posted May 26, 2015 Author Posted May 26, 2015 .bump .. better to check again if your site hasn't have this switch ON for guests .. .
TheSonic Posted May 26, 2015 Posted May 26, 2015 Wooo... I missed that one! Thank you very much for sharing.
Management Charles Posted May 26, 2015 Management Posted May 26, 2015 Please be careful on what you call a "security" problem as people will get unnecessarily scared This is more of an annoyance that could cause spam. There is no security implication here. However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.
不中用 Posted May 26, 2015 Author Posted May 26, 2015 Please be careful on what you call a "security" problem as people will get unnecessarily scared This is more of an annoyance that could cause spam. There is no security implication here. However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way. . Maybe you are a too good person Charles .. and you don't see the bad "Open Relay Security Guidelines" .. there will be more spam stories then nightmare ones .. but it is too "open" to say how lucky you can be if you're not careful enough .. Unnecessarily scared ? You not see your customers/clients as puppies aren't you ? .
Management Charles Posted May 26, 2015 Management Posted May 26, 2015 I am not saying it's a good thing I am just saying it's not a "security" issue in that it's not going to get you hacked or anything like that.
The Old Man Posted May 30, 2015 Posted May 30, 2015 Thanks for highlighting this, certainly good advice to double check how you have it set rather than overlooking it and assuming. #BestPracticeI've seen permissions get changed by upgrades over the years that I know 100% I never set that way.
The Old Man Posted May 30, 2015 Posted May 30, 2015 Just checked any my 3.4.8 and 4.0.4 boards were set to allow everyone (including guests) to use the email as well! Thanks again.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.