CPG - Security: ECards form used for SPAM

[ulistaerk]

I ran a normal cpg setup where everybody (including Anonymous) could send an ECard.

Yesterday the server admin noticed that our server was blacklisted as an open relay. After a short search, cpg was identified as the culprit. Somebody must have wrote a script that sent countinous http-requests to the ECard URL. As result thousands over thousands of emails were sent.

I'm sure there are many cpg installations that have the same critical setup. Due to the spammers script and the google search (just search for "Powered by Coppermine Photo Gallery" and you will find all installations) this can be a significant security issue.

Feature request: Warn the stupid admin  if he allows anonymous to send ecards (warn via the javascript confirm dialog if anonymous can send ecards where you update the permissions)

[kegobeer]

Feature request: Warn the stupid admin  if he allows anonymous to send ecards (warn via the javascript confirm dialog if anonymous can send ecards where you update the permissions)

Hmm, I don't think so.  That would alienate to thousands of users who know better than to allow anonymous users to send ecards.

[Joachim Müller]

however, we should add a feature to future coppermine versions that makes such attacks harder (a confirmation dialog or even some sort of Captcha)