Hello!
I would like to propose a security hardening, but to be honest I do not have a definite answer on which solution is the best to implement. However, let's first see into the problem.
After enabling this module, the following path becomes accessible by any anonymous user /social-media-forward
. That page offers an "email a friend" kind of share. But it also opens a possibility for an anonymous user to send an arbitrary email to an arbitrary recipient. I personally see 2 possible ways to abuse it:
- Somebody could use it for spamming
- Somebody could use it for phishing against the attacked website. The email is sent from default site email address (and actually would look 100% legitimate to any SMTP/email client); but it allows the attacker to craft any subject/body that could "fool" the user of the website to believe the email is sent from official representatives of the website.
Probably the quickest solution would be to refactor the "email a friend" feature as a submodule - so only the people who really need this feature get it enabled.
Maybe you have some ideas on what would be the best way to seal off this crack?
Comments
Comment #2
lolcode CreditAttribution: lolcode commentedA few options that come to mind are:
Comment #3
gregglesThis seems pretty important. Also clarifying the title of what is being hardened.
Comment #4
scuba_flyA valid concern.
Let us start with at least:
Making the "social-media-forward" route only enabled if the email option is enabled.
Comment #7
scuba_flyAdded option 2 as well in the last commit: Making a separate "mailto" email option for those who want an email link but who don't want to enable the route based option.
"Providing a permission to limit access to the route based email option based on roles" changes the behaviour of this module.
Since this issue is open for more then a year. I think it is save to close it as fixed with the last commit.