Hello!

I would like to propose a security hardening, but to be honest I do not have a definite answer on which solution is the best to implement. However, let's first see into the problem.

After enabling this module, the following path becomes accessible by any anonymous user /social-media-forward. That page offers an "email a friend" kind of share. But it also opens a possibility for an anonymous user to send an arbitrary email to an arbitrary recipient. I personally see 2 possible ways to abuse it:

  • Somebody could use it for spamming
  • Somebody could use it for phishing against the attacked website. The email is sent from default site email address (and actually would look 100% legitimate to any SMTP/email client); but it allows the attacker to craft any subject/body that could "fool" the user of the website to believe the email is sent from official representatives of the website.

Probably the quickest solution would be to refactor the "email a friend" feature as a submodule - so only the people who really need this feature get it enabled.

Maybe you have some ideas on what would be the best way to seal off this crack?

Comments

bucefal91 created an issue. See original summary.

lolcode’s picture

lolcode CreditAttribution: lolcode commented

A few options that come to mind are:

  1. Making the "social-media-forward" route only enabled if the email option is enabled
  2. Making a separate "mailto" email option for those who want an email link but who don't want to enable the route based option
  3. Providing a permission to limit access to the route based email option based on roles.
greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at Morris Animal Foundation commented
Title: Hardening email share » Hardening email share against abuse for sending unsolicited messages
Priority: Normal » Major

This seems pretty important. Also clarifying the title of what is being hardened.

scuba_fly’s picture

scuba_fly
Location Netherlands, Vinkeveen
CreditAttribution: scuba_fly at LimoenGroen commented
Assigned: Unassigned » scuba_fly

A valid concern.

Let us start with at least:

Making the "social-media-forward" route only enabled if the email option is enabled.

  • scuba_fly committed ffa8247 on 8.x-1.x 
    Issue #2957419 by bucefal91, lolcode, greggles, scuba_fly: Hardening...

  • scuba_fly committed 639c7c2 on 8.x-1.x 
    Issue #2957419 by scuba_fly: Hardening email share against abuse for...
scuba_fly’s picture

scuba_fly
Location Netherlands, Vinkeveen
CreditAttribution: scuba_fly at LimoenGroen commented
Status: Active » Fixed

Added option 2 as well in the last commit: Making a separate "mailto" email option for those who want an email link but who don't want to enable the route based option.

"Providing a permission to limit access to the route based email option based on roles" changes the behaviour of this module.

Since this issue is open for more then a year. I think it is save to close it as fixed with the last commit.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.