eZ publish 3.2 vulnerable to spam attacks

Friday 24 October 2003 8:13:55 am

The new /form/process function in 3.2 makes it possible to use eZ publish to send spam. Both sender and receiver email address are sent to the function as HTTP POST variables, and the email is sent without any checking where the response came from. All eZ 3.2 sites that use /form/process (need access to form module by Anonymous role) can therefore be used by spammers.

I've made a mod that use a hidden id (ContentObjectID) in the form, and a modified process.php that fetch the content object. The object is of class Form, which contain all the fields needed to send the email. In that way, email is always sent to the receiver. A little better, but not perfect.

I hope this function get some attention in eZ 3.3?

Check out the mod:
http://ez.no/developer/ez_publish_3/contributions/form_processing_spam_prevention_mod

Roy Viggo Pedersen

Monday 27 October 2003 7:05:34 am

I'm currently looking into this problem, the fix will be part of the 3.2-3 release.
Thanks for the notice.

--
Amos

Documentation: http://ez.no/ez_publish/documentation
FAQ: http://ez.no/ez_publish/documentation/faq

Tuesday 28 October 2003 2:24:11 am

Does this affect current 3.2-2 information collectors? We have several sites using this.

Paul

Tuesday 28 October 2003 4:22:27 am

My post was referring to the switching off of the process module. You mentioned that users should use the new improved information collecter routines in ez3.3. If the form module is seperate why mention this?

This implied that the switching of the module affects current info collector routines. Does it?

paul