Advancedform_XH Confimation Mails

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 13230
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Advancedform_XH Confimation Mails

Post by cmb » Thu Jan 31, 2019 5:47 pm

Hi everybody!

https://cmsimple.org/forum/viewtopic.ph ... 2782#p2782 made me aware of a serious flaw regarding the confirmation mails of Advancedform_XH, namely that anybody can send mail on behalf of the “To” address – any mail, not only “harmless” spam, but even mail with indictable contents. This is not a security issue in the strict sense, but comparably dangerous – therefore I'm posting it in this forum.

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.
Last edited by cmb on Fri Feb 01, 2019 12:35 pm, edited 1 time in total.
Reason: fix recommendation; see below
Christoph M. Becker – Plugins for CMSimple_XH

frase
Posts: 2825
Joined: Thu Apr 21, 2016 6:32 am
Location: Saxony
Contact:

Re: Advancedform_XH Confimation Mails

Post by frase » Thu Jan 31, 2019 8:20 pm

Thats all right.
Nevertheless, a clear hint in the help file should be sufficient.
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?

cmb
Posts: 13230
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Advancedform_XH Confimation Mails

Post by cmb » Thu Jan 31, 2019 10:56 pm

frase wrote:
Thu Jan 31, 2019 8:20 pm
Are such cases known?
What about the XH shop? - Or shops in general?
Is not it possible to order with a "foreign name"?
I'm not aware of any misuses, but it appears generally to be a bad idea to let unauthenticated users (almost all shops require registration, I suppose) send arbitrary contents to arbitrary recipients on your behalf. On the other hand, a confirmation mail with Webmaster controlled contents (“We have received your request, and will address it timely”; likely with a disclaimer a là “If you have not sent that request, please …”) might not be an issue.
Christoph M. Becker – Plugins for CMSimple_XH

bca
Posts: 290
Joined: Tue Sep 15, 2009 4:49 pm

Re: Advancedform_XH Confimation Mails

Post by bca » Fri Feb 01, 2019 10:33 am

Hi Christoph
not use the confirmation mail “feature”
I can't see how to turn that feature off.

I do use a Thanks page but sender also gets information email.

B

frase
Posts: 2825
Joined: Thu Apr 21, 2016 6:32 am
Location: Saxony
Contact:

Re: Advancedform_XH Confimation Mails

Post by frase » Fri Feb 01, 2019 11:09 am

help-file wrote:Dank-Seite: Wenn leer, wird nach dem E-Mail-Versand die gesendete Information angezeigt. Wenn gesetzt und eine Absender E-Mail-Adresse eingegeben wurde, wird der Besucher nach dem E-Mail-Versand auf diese Seite weiter geleitet, und eine Bestätigungs-E-Mail mit den gesendeten Information wird an ihn geschickt.
Das bedeutet ja eigentlich, dass nur eine Bestätigungsmail gesendet wird, wenn man die Dank-Seite verwendet ???
Das widerspricht doch dem hier:
cmb wrote:
Thu Jan 31, 2019 5:47 pm
Therefore I strongly recommend to not use the confirmation mail “feature”, but rather to provide a thanks-page, and to send confirmation manually, if required.
Verstehe ich da was falsch?

cmb
Posts: 13230
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Advancedform_XH Confimation Mails

Post by cmb » Fri Feb 01, 2019 12:35 pm

frase wrote:
Fri Feb 01, 2019 11:09 am
Verstehe ich da was falsch?
No, I was confused. Actually, I should have written:

Therefore I strongly recommend to not use the confirmation mail “feature”, by not providing a thanks-page, and to send confirmation manually, if required.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply