Project

General

Profile

Actions

tickets #130294

closed

Security hole in hyperkitty

Added by robin_listas 12 months ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Mailing lists
Target version:
-
Start date:
2023-06-02
Due date:
2023-06-13
% Done:

100%

Estimated time:

Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It allows non subscriber to script sending of spam.

https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new

I suggest closing this interface section on all mail lists, or doing
something. Capcha? Subscribers only?

Last example:

https://lists.opensuse.org/archives/list/users@lists.opensuse.org/thread/2PXZ334XP6TGENNKQIMZW7DDYWUOE7XN/


Cheers / Saludos,

Carlos E. R.
(from 15.4 x86_64 at Legolas)

-----BEGIN PGP SIGNATURE-----

iHYEARECADYWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZHoshRgcY2FybG9zLmUu
ckBvcGVuc3VzZS5vcmcACgkQtTMYHG2NR9VfygCggJNWzbmRIy6NilHLPPHPgJ/s
IAwAnAnpKkc+miKL7Au12EaY27yUwqXG
=Qx4j
-----END PGP SIGNATURE-----

Actions #1

Updated by pjessen 12 months ago

  • Subject changed from Security hole in hiperkitty to Security hole in hyperkitty
  • Category set to Mailing lists
  • Private changed from Yes to No

Unless you are logged in with your account, the function isn't active.

Actions #2

Updated by pjessen 12 months ago

  • Due date set to 2023-06-13
  • Status changed from New to Feedback

Carlos, I don't see any security issue or hole here, but I thought I would ask you before I reject the ticket.

Actions #3

Updated by robin_listas 12 months ago

The problem is that spammers have scripted their way, using hyperkitty, to mail spam to any mail list we have. Even if the setting is "subscribers only mail list".

They go to https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new, fill up their crap in the box, then hit [Send], and they are automatically subscribed on the act, possibly with a fake email.

This feature is a security hole, because it permits sending of spam. If you want to call it something else instead of security, fine, but please, the feature should go.

This page should be changed to disable automatic subscription (or add a capcha), and if not possible, remove the page.

For more information see:

https://lists.opensuse.org/archives/list/users@lists.opensuse.org/thread/2PXZ334XP6TGENNKQIMZW7DDYWUOE7XN/

https://lists.opensuse.org/archives/list/users@lists.opensuse.org/thread/PWC32T64D4PBZEH73ER4AY4CJOFGEVUI/

Actions #4

Updated by pjessen 12 months ago

  • Status changed from Feedback to New

The problem is that spammers have scripted their way, using hyperkitty, to mail spam to any mail list we have. Even if the setting is "subscribers only mail list".

They still have to have a mailman account, which we can hardly block 😀

They go to https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/new, fill up their crap in the box, then hit [Send], and they are automatically subscribed on the act, possibly with a fake email.

Yep, that is how it works. The email has to be linked to their mailman account though, so no fakes.

This feature is a security hole, because it permits sending of spam.

In that case, subscribing to a list is also a security hole, because it permits the sending of spam.

If you want to call it something else instead of security, fine, but please, the feature should go.
This page should be changed to disable automatic subscription (or add a captcha), and if not possible, remove the page.

No, it is not about what to call it, the question is whether it is a genuine problem. As far as I am concerned, that option "Start a new thread" is completely superfluous, but I see no option to just disable it.

Actions #5

Updated by pjessen 12 months ago

  • Status changed from New to Resolved
  • Assignee set to pjessen
  • % Done changed from 0 to 100

I am closing as resolved - if this "security hole" continues to be abused, feel free to reopen. Even better, maybe pursue directly with the mailman upstream project.

Actions

Also available in: Atom PDF