Advancedform_XH Confimation Mails

cmb · Post by **cmb** » Thu Jan 31, 2019 5:47 pm

Hi everybody!

https://cmsimple.org/forum/viewtopic.ph ... 2782#p2782 made me aware of a serious flaw regarding the confirmation mails of Advancedform_XH, namely that anybody can send mail on behalf of the “To” address – any mail, not only “harmless” spam, but even mail with indictable contents. This is not a security issue in the strict sense, but comparably dangerous – therefore I'm posting it in this forum.

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.

frase · Post by **frase** » Thu Jan 31, 2019 8:20 pm

Thats all right.
Nevertheless, a clear hint in the help file should be sufficient.
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?

cmb · Post by **cmb** » Thu Jan 31, 2019 10:56 pm

frase wrote: ↑
Thu Jan 31, 2019 8:20 pm
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?

I'm not aware of any misuses, but it appears generally to be a bad idea to let unauthenticated users (almost all shops require registration, I suppose) send arbitrary contents to arbitrary recipients on your behalf. On the other hand, a confirmation mail with Webmaster controlled contents (“We have received your request, and will address it timely”; likely with a disclaimer a là “If you have not sent that request, please …”) might not be an issue.

bca · Post by **bca** » Fri Feb 01, 2019 10:33 am

Hi Christoph

not use the confirmation mail “feature”

I can't see how to turn that feature off.

I do use a Thanks page but sender also gets information email.

B

frase · Post by **frase** » Fri Feb 01, 2019 11:09 am

help-file wrote:Dank-Seite: Wenn leer, wird nach dem E-Mail-Versand die gesendete Information angezeigt. Wenn gesetzt und eine Absender E-Mail-Adresse eingegeben wurde, wird der Besucher nach dem E-Mail-Versand auf diese Seite weiter geleitet, und eine Bestätigungs-E-Mail mit den gesendeten Information wird an ihn geschickt.

Das bedeutet ja eigentlich, dass nur eine Bestätigungsmail gesendet wird, wenn man die Dank-Seite verwendet ???
Das widerspricht doch dem hier:

cmb wrote: ↑
Thu Jan 31, 2019 5:47 pm
Therefore I strongly recommend to not use the confirmation mail “feature”, but rather to provide a thanks-page, and to send confirmation manually, if required.

Verstehe ich da was falsch?

cmb · Post by **cmb** » Fri Feb 01, 2019 12:35 pm

frase wrote: ↑
Fri Feb 01, 2019 11:09 am
Verstehe ich da was falsch?

No, I was confused. Actually, I should have written:

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.

CMSimple_XH–Forum

Advancedform_XH Confimation Mails

Advancedform_XH Confimation Mails

Re: Advancedform_XH Confimation Mails

Re: Advancedform_XH Confimation Mails

Re: Advancedform_XH Confimation Mails

Re: Advancedform_XH Confimation Mails

Re: Advancedform_XH Confimation Mails