Forums / Developer / eZ publish 3.2 vulnerable to spam attacks
Roy Viggo Pedersen
Friday 24 October 2003 8:13:55 am
The new /form/process function in 3.2 makes it possible to use eZ publish to send spam. Both sender and receiver email address are sent to the function as HTTP POST variables, and the email is sent without any checking where the response came from. All eZ 3.2 sites that use /form/process (need access to form module by Anonymous role) can therefore be used by spammers.
I've made a mod that use a hidden id (ContentObjectID) in the form, and a modified process.php that fetch the content object. The object is of class Form, which contain all the fields needed to send the email. In that way, email is always sent to the receiver. A little better, but not perfect.
I hope this function get some attention in eZ 3.3?
Check out the mod:http://ez.no/developer/ez_publish_3/contributions/form_processing_spam_prevention_mod
Paul Forsyth
Friday 24 October 2003 8:32:09 am
Im sure it will. Security is always a priority.
paul
Jan Borsodi
Monday 27 October 2003 7:05:34 am
I'm currently looking into this problem, the fix will be part of the 3.2-3 release.Thanks for the notice.
-- Amos Documentation: http://ez.no/ez_publish/documentation FAQ: http://ez.no/ez_publish/documentation/faq
Tuesday 28 October 2003 2:11:25 am
The module will be turned off by default in 3.2-3 and 3.3 (uses a separate setting). The reason for this is that the module is insecure by design and should only be used if you really need this kind of functionality.
As for 3.3 I would recommend using the new revised information collector system, you will be able to do the same things you have in your fix.
Tuesday 28 October 2003 2:24:11 am
Does this affect current 3.2-2 information collectors? We have several sites using this.
Paul
Tuesday 28 October 2003 4:16:32 am
The 'spam attack' problem is not in the information collection system but in the separate form module.This module will fetch all POST variables, generate a mail out of it and send it.
Tuesday 28 October 2003 4:22:27 am
My post was referring to the switching off of the process module. You mentioned that users should use the new improved information collecter routines in ez3.3. If the form module is seperate why mention this?
This implied that the switching of the module affects current info collector routines. Does it?
Wednesday 29 October 2003 1:47:36 am
> This implied that the switching of the module affects current> info collector routines. Does it?
No, the switch is only for the form/process module.