Jump to content

[Sharing] [Email] major security vulnerability (Guests)


不中用
 Share

Recommended Posts

.

2015-04-16_8-20-45.thumb.png.9df6f83052b

 

This little icon that you find everywhere on your board, in default setting, your board will allow GUESTS to send emails at random from your server ..

This means :

  • any sender email address can be used ( no restrictions, let your imagination work  :)  ( would be nice to hear some ideas!! ) drugs@forfree dot com )
  • "Subject" field can be changed in whatever ...............
  • "Message" is a full editor .. links, pictures, .. spam can be send from your board without you knowing ..

 

2015-04-16_7-59-17.thumb.png.da699a4f62f

 

2015-04-16_8-05-30.thumb.png.e68b6f83433

 

Because it is not really a bug .. the settings are there to change it easily .. but this is a serious vulnerability .. you open up your server to send out whatever malicious emails with your board logo/name on top .. your (mail) domain can be blacklisted in no time without you even know what happened .. there is no log or anything ..

 

Other member groups, besides "guests", use the proper member/account email.

 

I've checked a few websites here on the IPS (signature links) and many forgot about this one .. it should be set properly .. ASAP.

 

System > Sharing

 

2015-04-16_8-22-25.thumb.png.39f24fa286c

 

Change to :

 

2015-04-16_8-23-17.thumb.png.55a35fa9e7d

 

 

.

 

 

Link to comment
Share on other sites

  • 1 month later...
  • Management

Please be careful on what you call a "security" problem as people will get unnecessarily scared :)

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

Link to comment
Share on other sites

Please be careful on what you call a "security" problem as people will get unnecessarily scared :)

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

​.

Maybe you are a too good person Charles .. and you don't see the bad   :)

"Open Relay Security Guidelines" .. there will be more spam stories then nightmare ones .. but it is too "open" to say how lucky you can be if you're not careful enough ..

 

Unnecessarily scared ? You not see your customers/clients as puppies aren't you ?  :)

 

.

Link to comment
Share on other sites

Thanks for highlighting this, certainly good advice to double check how you have it set rather than overlooking it and assuming. #BestPractice

I've seen permissions get changed by upgrades over the years that I know 100% I never set that way.

 

Edited by The Old Man
Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...