Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Speaking of Spambots, here's a design flaw. :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Speaking of Spambots, here's a design flaw.

I wanted to make sure I had an opportunity to review the new patches in 9.1.2 before I posted this.

Keep in mind this is NOT I repeat NOT a vulnerability in Dragonfly, but is susceptible to abuse by spambots and humans alike.

Whats Affected?

Tell-A-Friend Module.

What's the issue?

There is no restriction on sending email with this module.

Are there some details I can use?

Yes, depending on setup of your site, the Tell-A-Friend module is a simple module to forward information to 'a friend' about a great web site. However there are no restrictions in the module to restrict any email address (valid or not!!) in either the FROM fields or the TO fields. It will simply allow anyone to email to anyone from anyone. This email is not restricted by IP, nor does it report any usage by IP. the body of the email is populated in the module when selected, but you can easily transmit any body you wish, including trojans, XSS, and other malware.

What should I do?

My solution was simple, disable this except to REGISTERED USERS of your dragonfly site. This reduced my abuses to NULL. If you allow visitors to use this, you may wish to watch this usage very carefully so you don't end up on a SPAM BLACKLIST or worse!

Using the new security module you can certainly restrict many of the common nuisance spam bots, but it won't affect real spammers or intelligent bots.

Recommendations for Developers?

Track usage much like an ERROR URI/URL and report it to the administrator. If a guest (anonymouse user) is using it, report this via email to the admin (or PM the admin) when it's used.

This would allow an administrator to quickly see if it's being abused. I determined the abuse due to the uncanny logs showing visitors not referring to the site, but going strictly to that page, and then leaving the site.

Since restricting access to REGISTERED USERS, abuse has disappeared.

Mod's: If you feel this post has a better home somewhere else feel free to move it.

j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}

I believe the FROM field can only be altered if you are an Admin, normal users dont get tho option to change it.

Forwards Ever, Backwards Never!

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux-CentOS 5. Apache 2.2.3. SQL 5.0.87. PHP 5.2.11. DF9.2.1

All times are UTC