ECard Email Exploit Still Exists After Upgrade ECard Email Exploit Still Exists After Upgrade
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

ECard Email Exploit Still Exists After Upgrade

Started by Illuvatar, October 02, 2008, 02:28:57 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Illuvatar

Hello,

We had an email exploit associated with the ECard functionality which I was hoping would be resolved after I upgraded from 1.4.0 to 1.4.9 but it is still occuring even after I removed and replaced the ecard.php file in it's entirety during the upgrade.

I am going to just rename the ecard.php file for now to see if that stops the hundreds of rejections I'm getting daily like below:
QuoteX-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_a9015e4e2f33e6562ec8a717c4424b16"


--b1_a9015e4e2f33e6562ec8a717c4424b16
Content-Type: text/plain; charset = "iso-8859-1"
Content-Transfer-Encoding: 8bit

An e-card from arnold for you
=========================================

To view the ecard, copy and paste this url into your browser's address bar::
http://warofthering.net/gallery/galleries/displayecard.php?data=YTo5OntzOjI6InJuIjtzOjY6ImFybm9sZCI7czoyOiJzbiI7czo2OiJhcm5vbGQiO3M6Mjoic2UiO3M6MTU6InJveUBob3RtYWlsLmNvbSI7czoxOiJwIjtzOjgyOiJodHRwOi8vd2Fyb2Z0aGVyaW5nLm5ldC9nYWxsZXJ5L2dhbGxlcmllcy9hbGJ1bXMvZm90cmdhbGFkcmllbC9pbWFnZXMvZm90cl8xNjAuanBnIjtzOjE6ImciO3M6MTA6IlBCRk1hWm5wdkIiO3M6MToibSI7czoyMzE3OiJnb29kICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jdWd0dWZya213YS9iaWtpbmktdGhvbmctZ2FsbGVyaWVzLmh0bWwgJmd0O2Jpa2luaSB0aG9uZyBnYWxsZXJpZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9oYWNidWZncnhici9vZGQtd2llcmQtYml6YXJyZS1xdWl6emVzLmh0bWwgJmd0O29kZCB3aWVyZCBiaXphcnJlIHF1aXp6ZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9zZXh5LW5ha2VkLWxpbmdlcmllLmh0bWwgJmd0O3NleHkgbmFrZWQgbGluZ2VyaWUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9ndG9wenB6c2Uvc2VlLW15LWN1bnQuaHRtbCAmZ3Q7c2VlIG15IGN1bnQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly9ibG9nLjM2MC55YWhvby5jb20vYmxvZy13bWdubGNvMGViTU8zdFBvcDlJMHRyeHAyUS0tP2NxPTEmYW1wO3A9MTAxICZndDtmaXJzdCBjbGFzcyBjaGVhcCBkaXNjb3VudGUgYWlybGluZSB0aWNrZXQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaGFka2FrbW16L2xpdmUtc2V4LXNob3dzLWluLXBvcnRsYW5kLW9yZWdvbi5odG1sICZndDtsaXZlIHNleCBzaG93cyBpbiBwb3J0bGFuZCBvcmVnb24mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jZ3hvdGtub2RjZnQvYW0taS1sZXNiaWFuLmh0bWwgJmd0O2FtIGkgbGVzYmlhbiZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL2Jsb2cuMzYwLnlhaG9vLmNvbS9ibG9nLV9CUmNrNTQuYTdNSFJHZzVOT2FXb1RseERIcy0%2FY3E9MSZhbXA7cD00MiAmZ3Q7cmVjdW1iZW50IGJpY3ljbGVzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20veG9vZHR5d3pteWQvMjRycy10YW5uaW5nLWJlZHMuaHRtbCAmZ3Q7MjRycyB0YW5uaW5nIGJlZHMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9hZHVsdC1udWRlLXBpY3R1cmVzLmh0bWwgJmd0O2FkdWx0IG51ZGUgcGljdHVyZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaG5uenVoYWZ1L2JsYWNrLWNvY2stcGhvZW5peC5odG1sICZndDtibGFjayBjb2NrIHBob2VuaXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9rcGd5bXFrZngvd2V0LWJhYmUuaHRtbCAmZ3Q7d2V0IGJhYmUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9wcXJid3N3c3J1L2JyYXNzLXJhaWwuaHRtbCAmZ3Q7YnJhc3MgcmFpbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hhY2J1ZmdyeGJyL2plc3NlLWphbWVzLWJpby5odG1sICZndDtqZXNzZSBqYW1lcyBiaW8mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS93emNxb3d3cHlvYXAvZWRtb250b24taW5kZXBlbmRlbnQtZXNjb3J0cy5odG1sICZndDtlZG1vbnRvbiBpbmRlcGVuZGVudCBlc2NvcnRzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20vcmJ0Z25oend5cS9ib3VuZGFyeS1pbmFwcHJvcHJpYXRlLXNleHVhbC5odG1sICZndDtib3VuZGFyeSBpbmFwcHJvcHJpYXRlIHNleHVhbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2tjZ3B4dWVnY3NjL2FyYXVjYW5hLWNoaWNrcy5odG1sICZndDthcmF1Y2FuYSBjaGlja3MmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9kd3Jod3VjbmgvY2FtLWNoYXQtZnJlZS1saXZlLW9ubHktc2V4LXNleC13ZWIuaHRtbCAmZ3Q7Y2FtIGNoYXQgZnJlZSBsaXZlIG9ubHkgc2V4IHNleCB3ZWImbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9uZG11cHRrZ3FnYi9ib29rLWd1ZXN0LWpva2Utc2V4Lmh0bWwgJmd0O2Jvb2sgZ3Vlc3Qgam9rZSBzZXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9zZXVtbWh0dWUvcG9ybi1kZS1zZXhlLmh0bWwgJmd0O3Bvcm4gZGUgc2V4ZSZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hkeW9oYWd4dGZvdy9udWRlLXNtaXRoLXRob3JuZS5odG1sICZndDtudWRlIHNtaXRoIHRob3JuZSZsdDsvYSZndDsgIjtzOjM6InBpZCI7aTo0NTUxO3M6MjoicHQiO3M6MDoiIjtzOjI6InBjIjtzOjA6IiI7fQ%3D%3

Now...just so you know, renaming the entire gallery folder to --old completely stops this. Our gallery is a major draw so this in not acceptable. Any ideas?
All who wander are not lost. ~ Tolkien

Nibbler

What is the exploit? If you don't want anonymous users to use the ecard feature then disallow it on the groups page.

Illuvatar

Well, the exploit is sending edards by the hundreds.

I really don't mind if users have this option. I did the rename of the php file and and the emails have stopped but I can rename back and see if disabling it at the Group level works.

I'll give it a try.
All who wander are not lost. ~ Tolkien

Joachim Müller

How could this be prevented if you allow anonymous visitors to send ecards? The script can't determine the difference between a human visitor and a bot. That's not an exploit, as it is a weakness you deliberately open up. You're welcome to suggest changes for the future.

Illuvatar

Okay.....understood. So it was the Anoymous user setting. Thanks....

I did turn them off and the emails have stopped.

Very glad to hear that it wasn't a real exploit.

The only thing that I would suggest is a verification option to be involked like is used during most registration scripts to validate that it's a human and not a bot.

This would allow unregistered users to send an ecard from galleries like ours that don't even allow registrations.

Thanks for your time.
All who wander are not lost. ~ Tolkien

Gizmo

Check out this post that integrates CAPTCHA with ecards. It's a bit lengthy but I used on one of my galleries that's open to the public.
Did you read the manual first???? Taking 2 minutes to backup your files can save you hours of wondering what you screwed up.
Billy Bullock - BullsEyePhotos Blog of Indecision