eZ publish 3.2 vulnerable to spam attacks

Next topic

Author	Message
Roy Viggo Pedersen	Friday 24 October 2003 8:13:55 am The new /form/process function in 3.2 makes it possible to use eZ publish to send spam. Both sender and receiver email address are sent to the function as HTTP POST variables, and the email is sent without any checking where the response came from. All eZ 3.2 sites that use /form/process (need access to form module by Anonymous role) can therefore be used by spammers. I've made a mod that use a hidden id (ContentObjectID) in the form, and a modified process.php that fetch the content object. The object is of class Form, which contain all the fields needed to send the email. In that way, email is always sent to the receiver. A little better, but not perfect. I hope this function get some attention in eZ 3.3? Check out the mod: http://ez.no/developer/ez_publish_3/contributions/form_processing_spam_prevention_mod Roy Viggo Pedersen
Paul Forsyth	Friday 24 October 2003 8:32:09 am Im sure it will. Security is always a priority. paul
Jan Borsodi	Monday 27 October 2003 7:05:34 am I'm currently looking into this problem, the fix will be part of the 3.2-3 release. Thanks for the notice. -- Amos Documentation: http://ez.no/ez_publish/documentation FAQ: http://ez.no/ez_publish/documentation/faq
Jan Borsodi	Tuesday 28 October 2003 2:11:25 am The module will be turned off by default in 3.2-3 and 3.3 (uses a separate setting). The reason for this is that the module is insecure by design and should only be used if you really need this kind of functionality. As for 3.3 I would recommend using the new revised information collector system, you will be able to do the same things you have in your fix. -- Amos Documentation: http://ez.no/ez_publish/documentation FAQ: http://ez.no/ez_publish/documentation/faq
Paul Forsyth	Tuesday 28 October 2003 2:24:11 am Does this affect current 3.2-2 information collectors? We have several sites using this. Paul
Jan Borsodi	Tuesday 28 October 2003 4:16:32 am The 'spam attack' problem is not in the information collection system but in the separate form module. This module will fetch all POST variables, generate a mail out of it and send it. -- Amos Documentation: http://ez.no/ez_publish/documentation FAQ: http://ez.no/ez_publish/documentation/faq
Paul Forsyth	Tuesday 28 October 2003 4:22:27 am My post was referring to the switching off of the process module. You mentioned that users should use the new improved information collecter routines in ez3.3. If the form module is seperate why mention this? This implied that the switching of the module affects current info collector routines. Does it? paul
Jan Borsodi	Wednesday 29 October 2003 1:47:36 am > This implied that the switching of the module affects current > info collector routines. Does it? No, the switch is only for the form/process module. -- Amos Documentation: http://ez.no/ez_publish/documentation FAQ: http://ez.no/ez_publish/documentation/faq

eZ debug

Timing:	Jan 18 2025 19:26:59
Script start
Timing:	Jan 18 2025 19:26:59
Module start 'layout'
Timing:	Jan 18 2025 19:26:59
Module start 'content'
Timing:	Jan 18 2025 19:27:00
Module end 'content'
Timing:	Jan 18 2025 19:27:00
Script end

Main resources:

Total runtime	0.7427 sec
Peak memory usage	4,096.0000 KB
Database Queries	74

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0089	589.1641	152.6406
Module start 'layout'	0.0089	0.0031	741.8047	39.4766
Module start 'content'	0.0120	0.7294	781.2813	621.3984
Module end 'content'	0.7414	0.0012	1,402.6797	16.1250
Script end	0.7426		1,418.8047

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0036	0.4912	16	0.0002
Check MTime	0.0015	0.1977	16	0.0001
Mysql Total
Database connection	0.0018	0.2412	1	0.0018
Mysqli_queries	0.6726	90.5649	74	0.0091
Looping result	0.0007	0.0947	72	0.0000
Template Total	0.7030	94.7	2	0.3515
Template load	0.0021	0.2811	2	0.0010
Template processing	0.7009	94.3772	2	0.3505
Template load and register function	0.0001	0.0164	1	0.0001
states
state_id_array	0.0008	0.1055	1	0.0008
state_identifier_array	0.0013	0.1767	2	0.0007
Override
Cache load	0.0019	0.2497	36	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0010	0.1304	3	0.0003
Fetch class attribute name	0.0018	0.2440	9	0.0002
XML
Image XML parsing	0.0008	0.1035	3	0.0003
class_abstraction
Instantiating content class attribute	0.0000	0.0033	12	0.0000
General
dbfile	0.0007	0.0893	17	0.0000
String conversion	0.0000	0.0013	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
8	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
9	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
4	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
4	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 27 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs