Jump to content

[Sharing] [Email] major security vulnerability (Guests)

Featured Replies

Posted

.

2015-04-16_8-20-45.thumb.png.9df6f83052b

 

This little icon that you find everywhere on your board, in default setting, your board will allow GUESTS to send emails at random from your server ..

This means :

  • any sender email address can be used ( no restrictions, let your imagination work  :)  ( would be nice to hear some ideas!! ) drugs@forfree dot com )
  • "Subject" field can be changed in whatever ...............
  • "Message" is a full editor .. links, pictures, .. spam can be send from your board without you knowing ..

 

2015-04-16_7-59-17.thumb.png.da699a4f62f

 

2015-04-16_8-05-30.thumb.png.e68b6f83433

 

Because it is not really a bug .. the settings are there to change it easily .. but this is a serious vulnerability .. you open up your server to send out whatever malicious emails with your board logo/name on top .. your (mail) domain can be blacklisted in no time without you even know what happened .. there is no log or anything ..

 

Other member groups, besides "guests", use the proper member/account email.

 

I've checked a few websites here on the IPS (signature links) and many forgot about this one .. it should be set properly .. ASAP.

 

System > Sharing

 

2015-04-16_8-22-25.thumb.png.39f24fa286c

 

Change to :

 

2015-04-16_8-23-17.thumb.png.55a35fa9e7d

 

 

.

 

 

Thanks for spotting this.  I hadn't even realized that guests could do anything by default.

  • 1 month later...
  • Author

.

bump .. better to check again if your site hasn't have this switch ON for guests ..

 

.

Wooo... I missed that one! Thank you very much for sharing.

  • Management

Please be careful on what you call a "security" problem as people will get unnecessarily scared :)

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

^ rekt

  • Author

Please be careful on what you call a "security" problem as people will get unnecessarily scared :)

This is more of an annoyance that could cause spam. There is no security implication here.

However, the default on this is already to not allow Guests to use it. You probably upgraded from an older version where the default was not set in this way.

​.

Maybe you are a too good person Charles .. and you don't see the bad   :)

"Open Relay Security Guidelines" .. there will be more spam stories then nightmare ones .. but it is too "open" to say how lucky you can be if you're not careful enough ..

 

Unnecessarily scared ? You not see your customers/clients as puppies aren't you ?  :)

 

.

  • Management

I am not saying it's a good thing :) I am just saying it's not a "security" issue in that it's not going to get you hacked or anything like that.

Updated our permissions, thanks. 

Thanks for highlighting this, certainly good advice to double check how you have it set rather than overlooking it and assuming. #BestPractice

I've seen permissions get changed by upgrades over the years that I know 100% I never set that way.

 

Edited by The Old Man

Just checked any my 3.4.8 and 4.0.4 boards were set to allow everyone (including guests) to use the email as well! Thanks again. 

Edited by The Old Man

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.