Email Exploit of the Share Article/Post Function

[sadams101]

When I ran the support function today I was notified that there was an optional patch to fix a Facebook login issue, as well as other issues, including a fix for an exploit where bots can spam using the email share feature.  This actually horrified me.

Why would this patch not be pushed through as an immediate update security patch, instead of optional?

For weeks now I've been seeing strange unexplained bounces that didn't make sense. How much spam did this exploit allow?

I'm really shocked as how you handled the roll out of this fix. Email exploits are the oldest hacking activity there is...why would you have such an exploit in your software?

[bfarber]

It's not an "exploit". There is a "share by email" feature in the software and we have made adjustments to the feature following reports of spam being sent using said feature. We pushed out an ACP notification at the time, as well as a patch, to address the concern, but it's not a true security exploit - the feature is in fact doing what it is intended to do.

[sadams101]

Well, I would consider the ability to send spam from my site an exploit, but won't argue about it with you. Given the ability of those who want to exploit such forms, and how easy it apparently is for them to spoof IP addresses, I hope your fixes have shut this down as a way for them to spam.

Edited August 7, 2020 by sadams101

[PPlanet]

On 8/8/2020 at 7:07 AM, bfarber said:

It's not an "exploit". There is a "share by email" feature in the software and we have made adjustments to the feature following reports of spam being sent using said feature. We pushed out an ACP notification at the time, as well as a patch, to address the concern, but it's not a true security exploit - the feature is in fact doing what it is intended to do.

I know this was fixed back then, but since I'm still on that version (4.4.9) what I did was simply disabling the share by email feature immediately. Since then, my email service has been used by spammers twice, but I'm not saying my IPS installation is to blame. There could be other reasons as I also send emails through other sites using the same STMP service/mailbox, but just to be able to rule my forum out among the suspects, has it been confirmed that you are safe if you have the share by email feature disabled?

(And yes, I know it would be safer to upgrade, but since 4.5 was in discussion for so long, I never got around to upgrade to 4.4.10 for shortage of time, etc. I thought to upgrade to 4.5 when the time comes, and all third party plugins are ready). So, this is a mere question about 4.4.9 and this problem with the share by email feature. I'll appreciate if someone could confirm your site couldn't be used by spammers if you had this feature disabled. Cheers!

[bfarber]

If you disable the share by email feature, then spammers will not be able to use that feature. I am unaware at this time of any other areas where an end user could send an arbitrary email through your site.

[PPlanet]

13 hours ago, bfarber said:

If you disable the share by email feature, then spammers will not be able to use that feature. I am unaware at this time of any other areas where an end user could send an arbitrary email through your site.

Okay, great. Thanks for confirming.