http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Summary: opac/opac-sendbasket.pl security leaky Product: Koha Version: HEAD Platform: Other OS/Version: Linux - Debian Status: NEW Severity: normal Priority: P3 Component: OPAC AssignedTo: jmf@liblime.com ReportedBy: dbavousett@ptfs.com Estimated Hours: 0.0 Change sponsored?: --- It is possible for a clever user who has access to the source to spot that opac-sendbasket.pl has a security leak, and use a Koha server as a spam relay. opac-sendbasket.pl uses CGI's param() method to fetch in parameters. This functions fine, but it doesn't *care* if the parameters come in via GET or POST methods. Thus, you can: http://server/cgi-bin/koha/opac-sendbasket. pl?&email_add=user@domain.com&comment=”blahblahblah” This will send a message with the cart header as defined elsewhere, plus the comments from the "comment" param, to user@domain.com. A moderately-clever geek could easily work out a script to use this as a spamming tool. My suggestion would be to either use CGI_Lite, which allows for control over passing method, or manually fetching in the parameters "the hard way", which would allow you to explicitly disallow GET params in (at a minimum) email_add and comment. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.