Hello,
We had an email exploit associated with the ECard functionality which I was hoping would be resolved after I upgraded from 1.4.0 to 1.4.9 but it is still occuring even after I removed and replaced the ecard.php file in it's entirety during the upgrade.
I am going to just rename the ecard.php file for now to see if that stops the hundreds of rejections I'm getting daily like below:
QuoteX-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_a9015e4e2f33e6562ec8a717c4424b16"
--b1_a9015e4e2f33e6562ec8a717c4424b16
Content-Type: text/plain; charset = "iso-8859-1"
Content-Transfer-Encoding: 8bit
An e-card from arnold for you
=========================================
To view the ecard, copy and paste this url into your browser's address bar::
http://warofthering.net/gallery/galleries/displayecard.php?data=YTo5OntzOjI6InJuIjtzOjY6ImFybm9sZCI7czoyOiJzbiI7czo2OiJhcm5vbGQiO3M6Mjoic2UiO3M6MTU6InJveUBob3RtYWlsLmNvbSI7czoxOiJwIjtzOjgyOiJodHRwOi8vd2Fyb2Z0aGVyaW5nLm5ldC9nYWxsZXJ5L2dhbGxlcmllcy9hbGJ1bXMvZm90cmdhbGFkcmllbC9pbWFnZXMvZm90cl8xNjAuanBnIjtzOjE6ImciO3M6MTA6IlBCRk1hWm5wdkIiO3M6MToibSI7czoyMzE3OiJnb29kICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jdWd0dWZya213YS9iaWtpbmktdGhvbmctZ2FsbGVyaWVzLmh0bWwgJmd0O2Jpa2luaSB0aG9uZyBnYWxsZXJpZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9oYWNidWZncnhici9vZGQtd2llcmQtYml6YXJyZS1xdWl6emVzLmh0bWwgJmd0O29kZCB3aWVyZCBiaXphcnJlIHF1aXp6ZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9zZXh5LW5ha2VkLWxpbmdlcmllLmh0bWwgJmd0O3NleHkgbmFrZWQgbGluZ2VyaWUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9ndG9wenB6c2Uvc2VlLW15LWN1bnQuaHRtbCAmZ3Q7c2VlIG15IGN1bnQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly9ibG9nLjM2MC55YWhvby5jb20vYmxvZy13bWdubGNvMGViTU8zdFBvcDlJMHRyeHAyUS0tP2NxPTEmYW1wO3A9MTAxICZndDtmaXJzdCBjbGFzcyBjaGVhcCBkaXNjb3VudGUgYWlybGluZSB0aWNrZXQmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaGFka2FrbW16L2xpdmUtc2V4LXNob3dzLWluLXBvcnRsYW5kLW9yZWdvbi5odG1sICZndDtsaXZlIHNleCBzaG93cyBpbiBwb3J0bGFuZCBvcmVnb24mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9jZ3hvdGtub2RjZnQvYW0taS1sZXNiaWFuLmh0bWwgJmd0O2FtIGkgbGVzYmlhbiZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL2Jsb2cuMzYwLnlhaG9vLmNvbS9ibG9nLV9CUmNrNTQuYTdNSFJHZzVOT2FXb1RseERIcy0%2FY3E9MSZhbXA7cD00MiAmZ3Q7cmVjdW1iZW50IGJpY3ljbGVzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20veG9vZHR5d3pteWQvMjRycy10YW5uaW5nLWJlZHMuaHRtbCAmZ3Q7MjRycyB0YW5uaW5nIGJlZHMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9nb3pwdWN3ZmdkeC9hZHVsdC1udWRlLXBpY3R1cmVzLmh0bWwgJmd0O2FkdWx0IG51ZGUgcGljdHVyZXMmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9iaG5uenVoYWZ1L2JsYWNrLWNvY2stcGhvZW5peC5odG1sICZndDtibGFjayBjb2NrIHBob2VuaXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9rcGd5bXFrZngvd2V0LWJhYmUuaHRtbCAmZ3Q7d2V0IGJhYmUmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9wcXJid3N3c3J1L2JyYXNzLXJhaWwuaHRtbCAmZ3Q7YnJhc3MgcmFpbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hhY2J1ZmdyeGJyL2plc3NlLWphbWVzLWJpby5odG1sICZndDtqZXNzZSBqYW1lcyBiaW8mbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS93emNxb3d3cHlvYXAvZWRtb250b24taW5kZXBlbmRlbnQtZXNjb3J0cy5odG1sICZndDtlZG1vbnRvbiBpbmRlcGVuZGVudCBlc2NvcnRzJmx0Oy9hJmd0OyAmbHQ7YSBocmVmPSBodHRwOi8vd3d3Lmdlb2NpdGllcy5jb20vcmJ0Z25oend5cS9ib3VuZGFyeS1pbmFwcHJvcHJpYXRlLXNleHVhbC5odG1sICZndDtib3VuZGFyeSBpbmFwcHJvcHJpYXRlIHNleHVhbCZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2tjZ3B4dWVnY3NjL2FyYXVjYW5hLWNoaWNrcy5odG1sICZndDthcmF1Y2FuYSBjaGlja3MmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9kd3Jod3VjbmgvY2FtLWNoYXQtZnJlZS1saXZlLW9ubHktc2V4LXNleC13ZWIuaHRtbCAmZ3Q7Y2FtIGNoYXQgZnJlZSBsaXZlIG9ubHkgc2V4IHNleCB3ZWImbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9uZG11cHRrZ3FnYi9ib29rLWd1ZXN0LWpva2Utc2V4Lmh0bWwgJmd0O2Jvb2sgZ3Vlc3Qgam9rZSBzZXgmbHQ7L2EmZ3Q7ICZsdDthIGhyZWY9IGh0dHA6Ly93d3cuZ2VvY2l0aWVzLmNvbS9zZXVtbWh0dWUvcG9ybi1kZS1zZXhlLmh0bWwgJmd0O3Bvcm4gZGUgc2V4ZSZsdDsvYSZndDsgJmx0O2EgaHJlZj0gaHR0cDovL3d3dy5nZW9jaXRpZXMuY29tL2hkeW9oYWd4dGZvdy9udWRlLXNtaXRoLXRob3JuZS5odG1sICZndDtudWRlIHNtaXRoIHRob3JuZSZsdDsvYSZndDsgIjtzOjM6InBpZCI7aTo0NTUxO3M6MjoicHQiO3M6MDoiIjtzOjI6InBjIjtzOjA6IiI7fQ%3D%3
Now...just so you know, renaming the entire gallery folder to --old completely stops this. Our gallery is a major draw so this in not acceptable. Any ideas?
What is the exploit? If you don't want anonymous users to use the ecard feature then disallow it on the groups page.
Well, the exploit is sending edards by the hundreds.
I really don't mind if users have this option. I did the rename of the php file and and the emails have stopped but I can rename back and see if disabling it at the Group level works.
I'll give it a try.
How could this be prevented if you allow anonymous visitors to send ecards? The script can't determine the difference between a human visitor and a bot. That's not an exploit, as it is a weakness you deliberately open up. You're welcome to suggest changes for the future.
Okay.....understood. So it was the Anoymous user setting. Thanks....
I did turn them off and the emails have stopped.
Very glad to hear that it wasn't a real exploit.
The only thing that I would suggest is a verification option to be involked like is used during most registration scripts to validate that it's a human and not a bot.
This would allow unregistered users to send an ecard from galleries like ours that don't even allow registrations.
Thanks for your time.
Check out this post (http://forum.coppermine-gallery.net/index.php/topic,37635.0.html) that integrates CAPTCHA with ecards. It's a bit lengthy but I used on one of my galleries that's open to the public.