Topic: CPG - Security: ECards form used for SPAM (Read 8163 times)

ulistaerk · « **on:** January 07, 2006, 02:39:30 am »

I ran a normal cpg setup where everybody (including Anonymous) could send an ECard.

Yesterday the server admin noticed that our server was blacklisted as an open relay. After a short search, cpg was identified as the culprit. Somebody must have wrote a script that sent countinous http-requests to the ECard URL. As result thousands over thousands of emails were sent.

I'm sure there are many cpg installations that have the same critical setup. Due to the spammers script and the google search (just search for "Powered by Coppermine Photo Gallery" and you will find all installations) this can be a significant security issue.

Feature request: Warn the stupid admin if he allows anonymous to send ecards (warn via the javascript confirm dialog if anonymous can send ecards where you update the permissions)

kegobeer · « **Reply #1 on:** January 07, 2006, 03:23:10 am »

Quote from: ulistaerk

Feature request: Warn the stupid admin if he allows anonymous to send ecards (warn via the javascript confirm dialog if anonymous can send ecards where you update the permissions)

Hmm, I don't think so. That would alienate to thousands of users who know better than to allow anonymous users to send ecards.

Joachim Müller · « **Reply #2 on:** January 08, 2006, 01:45:52 pm »

however, we should add a feature to future coppermine versions that makes such attacks harder (a confirmation dialog or even some sort of Captcha)

News:

Author Topic: CPG - Security: ECards form used for SPAM (Read 8163 times)

ulistaerk

CPG - Security: ECards form used for SPAM

kegobeer

Re: CPG - Security: ECards form used for SPAM

Joachim Müller

Re: CPG - Security: ECards form used for SPAM