View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005816 | Composr | core | public | 2024-07-30 00:15 | 2024-07-30 00:16 |
| Reporter | Patrick Schmalstig | Assigned To | |||
| Severity | Trivial-bug | ||||
| Status | non-assigned | Resolution | open | ||
| Product Version | 11.beta1 | ||||
| Fixed in Version | |||||
| Summary | 0005816: Database and mail poison for get_value_newer_than on missing resource | ||||
| Description | There is a mechanism in site2.php which uses values_elective to determine if an error about a missing page has been recently sent out or not. This mechanism leads to the possibility of database poison because a value (row) is added every time a unique, missing zone:page is attempted. It could also be abused by botnets to trigger mass error notifications by making page requests with a different random page name each time. We should use a different method rather than putting stuff in the db to track this. Perhaps look up in the mail log if the notification was sent out. Also maybe consider tracking how many times a missing page is hit and trigger a hack attack if it's too many. | ||||
| Tags | Roadmap: Over the horizon, Type: Avoiding e-mail spamblocks, Type: Security | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-07-30 00:16 | Patrick Schmalstig | Tag Attached: Roadmap: Over the horizon | |
| 2024-07-30 00:16 | Patrick Schmalstig | Tag Attached: Type: Security | |
| 2024-07-30 00:16 | Patrick Schmalstig | Tag Attached: Type: Avoiding e-mail spamblocks | |
| 2024-07-30 00:16 | Patrick Schmalstig | Summary | Database poison for get_value_newer_than on missing resource => Database and mail poison for get_value_newer_than on missing resource |
| 2024-07-30 00:16 | Patrick Schmalstig | Description Updated | View Revisions |
