Edgewall Software
Modify

Ticket #3684 (closed defect: worksforme)

Opened 5 years ago

Last modified 5 years ago

Susceptible to spammy redirects

Reported by: anonymous Owned by: cboos
Priority: high Milestone:
Component: ticket system Version: 0.9.6
Severity: major Keywords:
Cc:
Release Notes:
API Changes:

Description

Spammers upload attachments, then spamvertize them (typically comment spamming on blogs etc) with ?format=raw behind the URL. Then the redirects work.

Spammy redirects using holes in software is the new spam technique, and needs to be plugged wherever the hole is used.

Details here: http://spamhuntress.com/2006/09/07/trac-ticket-system-susceptible-to-redirects/

Attachments

Change History

comment:1 Changed 5 years ago by cboos

  • Keywords needinfo added
  • Milestone set to 0.10
  • Owner changed from jonas to cboos

Live from irc:

<cboos> actually, when I tried to see them, I could see the source, but trying to view the "Original Format" redirected me to some other point in the web... The spam html files did contain <script> tags, and the javascript code must have done the redirect
<cboos> ... so probably lighthttpd has the render_unsafe_content flag set to true ... or there's a problem with that part of the code

We should check whether the render_unsafe_content TracIni#attachment flag works as expected.

comment:2 Changed 5 years ago by mgood

  • Keywords needinfo removed
  • Milestone 0.10 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I just verified with one of the Lighttpd admins that render_unsafe_content was set to true, so this just seems to be a config issue.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
to The owner will be changed from cboos. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.