tickets #130294
closedSecurity hole in hyperkitty
100%
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It allows non subscriber to script sending of spam.
https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new
I suggest closing this interface section on all mail lists, or doing
something. Capcha? Subscribers only?
Last example:
Cheers / Saludos,
Carlos E. R.
(from 15.4 x86_64 at Legolas)
-----BEGIN PGP SIGNATURE-----
iHYEARECADYWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZHoshRgcY2FybG9zLmUu
ckBvcGVuc3VzZS5vcmcACgkQtTMYHG2NR9VfygCggJNWzbmRIy6NilHLPPHPgJ/s
IAwAnAnpKkc+miKL7Au12EaY27yUwqXG
=Qx4j
-----END PGP SIGNATURE-----
Updated by pjessen over 1 year ago
- Subject changed from Security hole in hiperkitty to Security hole in hyperkitty
- Category set to Mailing lists
- Private changed from Yes to No
Unless you are logged in with your account, the function isn't active.
Updated by pjessen over 1 year ago
- Due date set to 2023-06-13
- Status changed from New to Feedback
Carlos, I don't see any security issue or hole here, but I thought I would ask you before I reject the ticket.
Updated by robin_listas over 1 year ago
The problem is that spammers have scripted their way, using hyperkitty, to mail spam to any mail list we have. Even if the setting is "subscribers only mail list".
They go to https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new, fill up their crap in the box, then hit [Send], and they are automatically subscribed on the act, possibly with a fake email.
This feature is a security hole, because it permits sending of spam. If you want to call it something else instead of security, fine, but please, the feature should go.
This page should be changed to disable automatic subscription (or add a capcha), and if not possible, remove the page.
For more information see:
Updated by pjessen over 1 year ago
- Status changed from Feedback to New
The problem is that spammers have scripted their way, using hyperkitty, to mail spam to any mail list we have. Even if the setting is "subscribers only mail list".
They still have to have a mailman account, which we can hardly block 😀
They go to https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new, fill up their crap in the box, then hit [Send], and they are automatically subscribed on the act, possibly with a fake email.
Yep, that is how it works. The email has to be linked to their mailman account though, so no fakes.
This feature is a security hole, because it permits sending of spam.
In that case, subscribing to a list is also a security hole, because it permits the sending of spam.
If you want to call it something else instead of security, fine, but please, the feature should go.
This page should be changed to disable automatic subscription (or add a captcha), and if not possible, remove the page.
No, it is not about what to call it, the question is whether it is a genuine problem. As far as I am concerned, that option "Start a new thread" is completely superfluous, but I see no option to just disable it.
Updated by pjessen over 1 year ago
- Status changed from New to Resolved
- Assignee set to pjessen
- % Done changed from 0 to 100
I am closing as resolved - if this "security hole" continues to be abused, feel free to reopen. Even better, maybe pursue directly with the mailman upstream project.