Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted April 16, 201510 yr . This little icon that you find everywhere on your board, in default setting, your board will allow GUESTS to send emails at random from your server .. This means : any sender email address can be used ( no restrictions, let your imagination work ( would be nice to hear some ideas!! ) drugs@forfree dot com ) "Subject" field can be changed in whatever ............... "Message" is a full editor .. links, pictures, .. spam can be send from your board without you knowing .. Because it is not really a bug .. the settings are there to change it easily .. but this is a serious vulnerability .. you open up your server to send out whatever malicious emails with your board logo/name on top .. your (mail) domain can be blacklisted in no time without you even know what happened .. there is no log or anything .. Other member groups, besides "guests", use the proper member/account email. I've checked a few websites here on the IPS (signature links) and many forgot about this one .. it should be set properly .. ASAP. System > Sharing Change to : .
April 16, 201510 yr Thanks for spotting this. I hadn't even realized that guests could do anything by default.
May 26, 201510 yr Author .bump .. better to check again if your site hasn't have this switch ON for guests .. .
May 26, 201510 yr Management Please be careful on what you call a "security" problem as people will get unnecessarily scared This is more of an annoyance that could cause spam. There is no security implication here. However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.
May 26, 201510 yr Author Please be careful on what you call a "security" problem as people will get unnecessarily scared This is more of an annoyance that could cause spam. There is no security implication here. However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way. . Maybe you are a too good person Charles .. and you don't see the bad "Open Relay Security Guidelines" .. there will be more spam stories then nightmare ones .. but it is too "open" to say how lucky you can be if you're not careful enough .. Unnecessarily scared ? You not see your customers/clients as puppies aren't you ? .
May 26, 201510 yr Management I am not saying it's a good thing I am just saying it's not a "security" issue in that it's not going to get you hacked or anything like that.
May 30, 201510 yr Thanks for highlighting this, certainly good advice to double check how you have it set rather than overlooking it and assuming. #BestPracticeI've seen permissions get changed by upgrades over the years that I know 100% I never set that way. Edited May 30, 201510 yr by The Old Man
May 30, 201510 yr Just checked any my 3.4.8 and 4.0.4 boards were set to allow everyone (including guests) to use the email as well! Thanks again. Edited May 30, 201510 yr by The Old Man
Archived
This topic is now archived and is closed to further replies.