Page 1 of 1

Advancedform_XH Confimation Mails

Posted: Thu Jan 31, 2019 5:47 pm
by cmb
Hi everybody!

https://cmsimple.org/forum/viewtopic.ph ... 2782#p2782 made me aware of a serious flaw regarding the confirmation mails of Advancedform_XH, namely that anybody can send mail on behalf of the “To” address – any mail, not only “harmless” spam, but even mail with indictable contents. This is not a security issue in the strict sense, but comparably dangerous – therefore I'm posting it in this forum.

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.

Re: Advancedform_XH Confimation Mails

Posted: Thu Jan 31, 2019 8:20 pm
by frase
Thats all right.
Nevertheless, a clear hint in the help file should be sufficient.
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?

Re: Advancedform_XH Confimation Mails

Posted: Thu Jan 31, 2019 10:56 pm
by cmb
frase wrote:
Thu Jan 31, 2019 8:20 pm
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?
I'm not aware of any misuses, but it appears generally to be a bad idea to let unauthenticated users (almost all shops require registration, I suppose) send arbitrary contents to arbitrary recipients on your behalf. On the other hand, a confirmation mail with Webmaster controlled contents (“We have received your request, and will address it timely”; likely with a disclaimer a là “If you have not sent that request, please …”) might not be an issue.

Re: Advancedform_XH Confimation Mails

Posted: Fri Feb 01, 2019 10:33 am
by bca
Hi Christoph
not use the confirmation mail “feature”
I can't see how to turn that feature off.

I do use a Thanks page but sender also gets information email.

B

Re: Advancedform_XH Confimation Mails

Posted: Fri Feb 01, 2019 11:09 am
by frase
help-file wrote:Dank-Seite: Wenn leer, wird nach dem E-Mail-Versand die gesendete Information angezeigt. Wenn gesetzt und eine Absender E-Mail-Adresse eingegeben wurde, wird der Besucher nach dem E-Mail-Versand auf diese Seite weiter geleitet, und eine Bestätigungs-E-Mail mit den gesendeten Information wird an ihn geschickt.
Das bedeutet ja eigentlich, dass nur eine Bestätigungsmail gesendet wird, wenn man die Dank-Seite verwendet ???
Das widerspricht doch dem hier:
cmb wrote:
Thu Jan 31, 2019 5:47 pm
Therefore I strongly recommend to not use the confirmation mail “feature”, but rather to provide a thanks-page, and to send confirmation manually, if required.
Verstehe ich da was falsch?

Re: Advancedform_XH Confimation Mails

Posted: Fri Feb 01, 2019 12:35 pm
by cmb
frase wrote:
Fri Feb 01, 2019 11:09 am
Verstehe ich da was falsch?
No, I was confused. Actually, I should have written:

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.