#6838 closed defect (wontfix)
Database spammable
| Reported by: | anonymous | Owned by: | Jonas Borgström |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.10.4 |
| Severity: | normal | Keywords: | |
| Cc: | jdthood@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
I noticed these lines in my apache log:
154.62-50-162.enivest.net - - [10/Feb/2008:05:22:22 +0100] "GET /projects/mytrac/settings HTTP/1.1" 200 4750 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)" 154.62-50-162.enivest.net - - [10/Feb/2008:05:22:23 +0100] "POST /projects/mytrac/settings HTTP/1.1" 303 14 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)"
The result (except that I have added 'SPAM' to the spammer's URLs):
$ sqlite3 ./trac.db sqlite> select * from session ; joe|1|1203072661 fred|1|1201513822 jane|1|1192642350 hi there <a href="http://SPAM//jypie.info/replica-watches/replica-diamond-rolex.php">replica diamond rolex</a> <a href="http://SPAM//jypie.info/replica-watches/replica-watches-rolex-gmt.php">replica watches rolex gmt</a> http://SPAM//jypie.info/replica-watches/bund-replica-watch.php <a href="http://SPAM//jypie.info/replica-watches/hublot-replica-watches.php">hublot replica watches</a> <a href="http:///SPAM//jypie.info/replica-watches/tissot-replica-watches.php">tissot replica watches</a> http://SPAM//jypie.info/replica-watches/replica-watch-stores-los-angeles.php <a href="http://SPAM//jypie.info/replica-watches/replica-tiffany-watches.php">replica tiffany watches</a> <a href="http://SPAM//jypie.info/replica-watches/chinese-rolex-replica.php">chinese rolex replica</a> http://SPAM//jypie.info/replica-watches/breitling-replica-watch.php <a href="http://SPAM//jypie.info/replica-watches/replica-designer-watches.php">replica designer watches</a> <a href="http://SPAM//jypie.info/replica-watches/hublot-rose-gold-big-bang-replica-watch.php">hublot rose gold big bang replica watch</a> http://SPAM//jypie.info/replica-watches/omega-rolex-replicas-replica-tag-heuer-watches.php http://SPAM//jypie.info/replica-watches/sea-dweller-replica-watch.php |0|1203097885
I am not sure what all the relevant accompanying information would be. The user 'anonymous' has all _VIEW permissions and no other permissions.
If there is a setting I need to change, please let me know. — Thomas Hood <jdthood@…>
Attachments (0)
Change History (5)
comment:1 by , 16 years ago
| Version: | 0.10-stable → 0.10.4 |
|---|
comment:3 by , 16 years ago
In order to block the spammers, for now I will require authentication in order to visit the settings page.
<LocationMatch "/projects/[^/]+/(settings|login)">
AuthType Basic
AuthName "projects"
AuthUserFile /var/lib/svnroot/svnroot-authfile
Require valid-user
</LocationMatch>
Note that the session_attribute table gets hit too.
comment:4 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Heh, database spamming… I wonder what the spammer was expecting to achieve :-)
Anyway, this is a risk with open sites, and I don't know what we could do against it. Perhaps a captcha plugin?
comment:5 by , 16 years ago
Note that the source:sandbox/spam-filter-captcha variant of our SpamFilter nearly works (modulo #7173).
Version is 0.10.4