[Sharing] [Email] major security vulnerability (Guests)

[不中用]

.

 

This little icon that you find everywhere on your board, in default setting, your board will allow GUESTS to send emails at random from your server ..

This means :

• any sender email address can be used ( no restrictions, let your imagination work    ( would be nice to hear some ideas!! ) drugs@forfree dot com )
• "Subject" field can be changed in whatever ...............
• "Message" is a full editor .. links, pictures, .. spam can be send from your board without you knowing ..

 

 

 

Because it is not really a bug .. the settings are there to change it easily .. but this is a serious vulnerability .. you open up your server to send out whatever malicious emails with your board logo/name on top .. your (mail) domain can be blacklisted in no time without you even know what happened .. there is no log or anything ..

 

Other member groups, besides "guests", use the proper member/account email.

 

I've checked a few websites here on the IPS (signature links) and many forgot about this one .. it should be set properly .. ASAP.

 

System > Sharing

 

 

Change to :

 

 

 

.

 

 

[tAPir]

Thanks for spotting this.  I hadn't even realized that guests could do anything by default.

[不中用]

.

bump .. better to check again if your site hasn't have this switch ON for guests ..

 

.

[TheSonic]

Wooo... I missed that one! Thank you very much for sharing.

[Charles]

Please be careful on what you call a "security" problem as people will get unnecessarily scared

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

[Jswerv3]

^ rekt

[不中用]

Please be careful on what you call a "security" problem as people will get unnecessarily scared

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

​.

Maybe you are a too good person Charles .. and you don't see the bad  

"Open Relay Security Guidelines" .. there will be more spam stories then nightmare ones .. but it is too "open" to say how lucky you can be if you're not careful enough ..

 

Unnecessarily scared ? You not see your customers/clients as puppies aren't you ? 

 

.

[Charles]

I am not saying it's a good thing I am just saying it's not a "security" issue in that it's not going to get you hacked or anything like that.

[Lee69]

Updated our permissions, thanks. 

[The Old Man]

Thanks for highlighting this, certainly good advice to double check how you have it set rather than overlooking it and assuming. #BestPractice

I've seen permissions get changed by upgrades over the years that I know 100% I never set that way.

 

Edited May 30, 2015 by The Old Man

[The Old Man]

Just checked any my 3.4.8 and 4.0.4 boards were set to allow everyone (including guests) to use the email as well! Thanks again. 

Edited May 30, 2015 by The Old Man