Print

[Illuvatar]

Hello,

We had an email exploit associated with the ECard functionality which I was hoping would be resolved after I upgraded from 1.4.0 to 1.4.9 but it is still occuring even after I removed and replaced the ecard.php file in it's entirety during the upgrade.

I am going to just rename the ecard.php file for now to see if that stops the hundreds of rejections I'm getting daily like below:

X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_a9015e4e2f33e6562ec8a717c4424b16"


--b1_a9015e4e2f33e6562ec8a717c4424b16
Content-Type: text/plain; charset = "iso-8859-1"
Content-Transfer-Encoding: 8bit

An e-card from arnold for you
=========================================

To view the ecard, copy and paste this url into your browser's address bar::
http://warofthering.net/gallery/galleries/displayecard.php?data=YTo5OntzOjI6InJuIjtzOjY6ImFybm9sZCI7czoyOiJzbiI7czo2OiJhcm5vbGQiO3M6Mjoic2UiO3M6MTU6InJveUBob3RtYWlsLmNvbSI7czoxOiJwIjtzOjgyOiJodHRwOi8vd2Fyb2Z0aGVyaW5nLm5ldC9nYWxsZXJ5L2dhbGxlcmllcy9hbGJ1bXMvZm90cmdhbGFkcmllbC9pbWFnZXMvZm90cl8xNjAuanBnIjtzOjE6ImciO3M6MTA6IlBCRk1hWm5wdkIiO3M6MToibSI7czoyMzE3OiJnb29kICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jdWd0dWZya213YS9iaWtpbmktdGhvbmctZ2FsbGVyaWVzLmh0bWwgJmd0O2Jpa2luaSB0aG9uZyBnYWxsZXJpZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9oYWNidWZncnhici9vZGQtd2llcmQtYml6YXJyZS1xdWl6emVzLmh0bWwgJmd0O29kZCB3aWVyZCBiaXphcnJlIHF1aXp6ZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9zZXh5LW5ha2VkLWxpbmdlcmllLmh0bWwgJmd0O3NleHkgbmFrZWQgbGluZ2VyaWUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9ndG9wenB6c2Uvc2VlLW15LWN1bnQuaHRtbCAmZ3Q7c2VlIG15IGN1bnQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly9ibG9nLjM2MC55YWhvby5jb20vYmxvZy13bWdubGNvMGViTU8zdFBvcDlJMHRyeHAyUS0tP2NxPTEmYW1wO3A9MTAxICZndDtmaXJzdCBjbGFzcyBjaGVhcCBkaXNjb3VudGUgYWlybGluZSB0aWNrZXQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaGFka2FrbW16L2xpdmUtc2V4LXNob3dzLWluLXBvcnRsYW5kLW9yZWdvbi5odG1sICZndDtsaXZlIHNleCBzaG93cyBpbiBwb3J0bGFuZCBvcmVnb24mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jZ3hvdGtub2RjZnQvYW0taS1sZXNiaWFuLmh0bWwgJmd0O2FtIGkgbGVzYmlhbiZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL2Jsb2cuMzYwLnlhaG9vLmNvbS9ibG9nLV9CUmNrNTQuYTdNSFJHZzVOT2FXb1RseERIcy0%2FY3E9MSZhbXA7cD00MiAmZ3Q7cmVjdW1iZW50IGJpY3ljbGVzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20veG9vZHR5d3pteWQvMjRycy10YW5uaW5nLWJlZHMuaHRtbCAmZ3Q7MjRycyB0YW5uaW5nIGJlZHMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9hZHVsdC1udWRlLXBpY3R1cmVzLmh0bWwgJmd0O2FkdWx0IG51ZGUgcGljdHVyZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaG5uenVoYWZ1L2JsYWNrLWNvY2stcGhvZW5peC5odG1sICZndDtibGFjayBjb2NrIHBob2VuaXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9rcGd5bXFrZngvd2V0LWJhYmUuaHRtbCAmZ3Q7d2V0IGJhYmUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9wcXJid3N3c3J1L2JyYXNzLXJhaWwuaHRtbCAmZ3Q7YnJhc3MgcmFpbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hhY2J1ZmdyeGJyL2plc3NlLWphbWVzLWJpby5odG1sICZndDtqZXNzZSBqYW1lcyBiaW8mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS93emNxb3d3cHlvYXAvZWRtb250b24taW5kZXBlbmRlbnQtZXNjb3J0cy5odG1sICZndDtlZG1vbnRvbiBpbmRlcGVuZGVudCBlc2NvcnRzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20vcmJ0Z25oend5cS9ib3VuZGFyeS1pbmFwcHJvcHJpYXRlLXNleHVhbC5odG1sICZndDtib3VuZGFyeSBpbmFwcHJvcHJpYXRlIHNleHVhbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2tjZ3B4dWVnY3NjL2FyYXVjYW5hLWNoaWNrcy5odG1sICZndDthcmF1Y2FuYSBjaGlja3MmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9kd3Jod3VjbmgvY2FtLWNoYXQtZnJlZS1saXZlLW9ubHktc2V4LXNleC13ZWIuaHRtbCAmZ3Q7Y2FtIGNoYXQgZnJlZSBsaXZlIG9ubHkgc2V4IHNleCB3ZWImbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9uZG11cHRrZ3FnYi9ib29rLWd1ZXN0LWpva2Utc2V4Lmh0bWwgJmd0O2Jvb2sgZ3Vlc3Qgam9rZSBzZXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9zZXVtbWh0dWUvcG9ybi1kZS1zZXhlLmh0bWwgJmd0O3Bvcm4gZGUgc2V4ZSZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hkeW9oYWd4dGZvdy9udWRlLXNtaXRoLXRob3JuZS5odG1sICZndDtudWRlIHNtaXRoIHRob3JuZSZsdDsvYSZndDsgIjtzOjM6InBpZCI7aTo0NTUxO3M6MjoicHQiO3M6MDoiIjtzOjI6InBjIjtzOjA6IiI7fQ%3D%3

Now...just so you know, renaming the entire gallery folder to --old completely stops this. Our gallery is a major draw so this in not acceptable. Any ideas?

[Nibbler]

What is the exploit? If you don't want anonymous users to use the ecard feature then disallow it on the groups page.

[Illuvatar]

Well, the exploit is sending edards by the hundreds.

I really don't mind if users have this option. I did the rename of the php file and and the emails have stopped but I can rename back and see if disabling it at the Group level works.

I'll give it a try.

[Joachim Müller]

How could this be prevented if you allow anonymous visitors to send ecards? The script can't determine the difference between a human visitor and a bot. That's not an exploit, as it is a weakness you deliberately open up. You're welcome to suggest changes for the future.

[Illuvatar]

Okay.....understood. So it was the Anoymous user setting. Thanks....

I did turn them off and the emails have stopped.

Very glad to hear that it wasn't a real exploit.

The only thing that I would suggest is a verification option to be involked like is used during most registration scripts to validate that it's a human and not a bot.

This would allow unregistered users to send an ecard from galleries like ours that don't even allow registrations.

Thanks for your time.

[Gizmo]

Check out this post that integrates CAPTCHA with ecards. It's a bit lengthy but I used on one of my galleries that's open to the public.