1
unixtime
Possible security bug
  • 2004/8/29 14:24

  • unixtime

  • Just popping in

  • Posts: 2

  • Since: 2003/11/2


I noticed in my log some kind of nimda web attack to mydownload -> tell a friend link.

The attack file is long, I have added to my site. http://unixtime.net/nimda.txt

The attacker trying to use Tell a Friend link to spam. using the default template link.
Example:
https://xoops.org/modules/mydownloads/singlefile.php?cid=2&lid=1

I had to recompile my kernel to support iptables string and added the following statements

$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .c+dir.
$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .cmd.exe.
$IPTABLES -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --string .default.ida.


I am sure there are many sites using tell a friend links.

does anybody know if there is a patch for this problem?

Thank you.

2
Jan304
Re: Possible security bug
  • 2004/8/29 16:01

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


I'm not really a genius, and that's maybe why I don't understand it completely. The "Tell a friend" in the mydownloads module is just a href anchor with a mailto commando.

So what is exactly the result of that "attack", since I'm not really sure...

3
unixtime
Re: Possible security bug
  • 2004/8/29 16:23

  • unixtime

  • Just popping in

  • Posts: 2

  • Since: 2003/11/2


I post it this before I drink my coffee... this code looking for mailto: [ string ] so as usual the spammers add the emailto:<email@whatever.xxx> to spamming list.

since there is no email address in "Tell a friend" href anchor. should not be a problem.

Thank you for your time.

4
tl
Re: Possible security bug
  • 2004/8/29 16:27

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


"Tell A Friend" has to go through the sending person's own smtp server, NOT your web's smtp server or phpmailer, so there is nothing to worry about.

5
o0pk0o
Re: Possible security bug
  • 2004/9/8 14:42

  • o0pk0o

  • Just popping in

  • Posts: 20

  • Since: 2003/12/31


On a side note to this, I was wondering if there is a hole in the Contact Us module? I've got spam on two different e-mail accounts that I've used only in this module (didn't even give the addresses to friends, let alone posted them anywhere).

Thanks,

Login

Who's Online

352 user(s) are online (245 user(s) are browsing Support Forums)


Members: 0


Guests: 352


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits