[Koha-bugs] [Bug 3280] opac/opac-sendbasket.pl security leaky
bugzilla-daemon at liblime.com
bugzilla-daemon at liblime.com
Mon Jun 1 22:31:53 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280
Joe Atzberger <joe.atzberger at liblime.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joe.atzberger at liblime.com
--- Comment #3 from Joe Atzberger <joe.atzberger at liblime.com> 2009-06-01 20:31:53 ---
Might be good to insert, "this request came from IP: $ENV{REMOTE_ADDR}".
Doesn't prevent the problem, but may help ID your culprit if spamming occurs.
Other possibilities:
~ require user to be logged in to send cart, then send only to (one of) their
registered addresses, using message queue (true prevention, with part of the
feature sacrificed)
~ build internal tracking of messages sent with thresholds considered
"abusive" (damage limitation)
~ take the address in a separate request from the "send" confirmation, either
retaining it on the server side or passing it back and forth in an encrypted
form (problem obfuscation -- not truly more secure, but more difficult to
exploit)
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list