Possible spam hole in send
| Project: | Send |
| Version: | HEAD |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Drupal Security Team approved making this issue public since it's not possible to exploit the issue right now without hooking into send module.
There was a spam hole in Forward module: [#398564]
The problem with forward module was that it did only check the spam
threshold on a "per sent mail" basis, not a "per recipient" basis.
So, if you would add 100 mail addresses into the text area and the
limit was 10, all 100 mails would still be sent.
We have checked the current stable D5 release of send: It does the same
by checking before the form is built and not during sending the
mails. However since the module by default only allows one recipient,
we believe it to not be vulnerable.
send.module is however easily modifyable through hooks and could be
made to "bypass" the flood check too.