View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 5816 | Composr | core | public | 2024-07-30 00:15 | 2024-07-30 00:16 |
| Reporter | PDStig | Assigned To | Guest | ||
| Priority | high | Severity | trivial | ||
| Status | new | Resolution | open | ||
| Product Version | 11.beta1 | ||||
| Summary | 5816: Database and mail poison for get_value_newer_than on missing resource | ||||
| Description | There is a mechanism in site2.php which uses values_elective to determine if an error about a missing page has been recently sent out or not. This mechanism leads to the possibility of database poison because a value (row) is added every time a unique, missing zone:page is attempted. It could also be abused by botnets to trigger mass error notifications by making page requests with a different random page name each time. We should use a different method rather than putting stuff in the db to track this. Perhaps look up in the mail log if the notification was sent out. Also maybe consider tracking how many times a missing page is hit and trigger a hack attack if it's too many. | ||||
| Tags | Roadmap: Over the horizon, Type: Avoiding e-mail spamblocks, Type: Security | ||||
| Attach Tags | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-07-30 00:16 | PDStig | Tag Attached: Roadmap: Over the horizon | |
| 2024-07-30 00:16 | PDStig | Tag Attached: Type: Security | |
| 2024-07-30 00:16 | PDStig | Tag Attached: Type: Avoiding e-mail spamblocks | |
| 2024-07-30 00:16 | PDStig | Summary | Database poison for get_value_newer_than on missing resource => Database and mail poison for get_value_newer_than on missing resource |
| 2024-07-30 00:16 | PDStig | Description Updated |
