Jump to content

Archived

This topic is now archived and is closed to further replies.

knifeman

tell a friend turned off?

Recommended Posts

On a 2.3 store, I have tell a friend set to false for allowing guest to use.

I noticed in my whos online, a guest was accessing tell a friend directly. If I try this, i am sent to login.php and whos online says i am on the login page.

So it seems there is some bypass for this page.

 

the whos online url ended in process not success. Does this mean the guest was unsuccessful?

I have renamed the tell a friend file to prevent any further issues today.

Is this a known exploit and is there a fix to prevent this?

 

Tim

Share this post


Link to post
Share on other sites

I had my web host email this, after disabling the tell-a-friend feature without notice:

For your own security, we have disabled the "Tell A Friend" guest feature from your OSCommerce installation(s). Spammers frequently utilize this feature to send unsolicited emails. If you already had this feature disabled, we appreciate it, if not, we strongly encourage that you not re-enable this functionality. OSCommerce by default has this feature disabled and encourages users to not enable it. All registered users of your OSCommerce installation are still capable of using this feature however. We apologize for the inconvenience this may cause you if you happened to be using this feature up until recently.

 

I checked and sure enough, when you tried to use the tell a friend you got this ugly message from the webhost. A few days later, without notice, they announced the tell a friend on my site was enabled, and when I checked it was working as before just fine, no ugly message or anything.

 

On my site you have to be signed on to use the tell-a-friend, so maybe that's why they 'reenabled' it. But I found it interesting (disturbing, rather) they could target some isolated function of my shopping cart and just disable it.

 

Otherwise my webhost is great, so I didn't get all self-righteous, and besides was just to busy to focus on it. Maybe I should disable it altogether? I don't know.


Oscommerce site:

 

 

OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120

Share this post


Link to post
Share on other sites

Guest
208.73.23.219
14:23:59
14:23:59
/tell_a_friend.php?products_id=232&action=process
Yes
Not Found

 

 

After banning a few overseas IP addys, I turned tell a friend back on.

It is set to false for allowing a guest to use.

 

Above is from my whos online today. If I click the link, it takes me to the login page. So how are people accessing the page???

 

Tim

Share this post


Link to post
Share on other sites

I have recently had a problem with a registered user sending spam through my site using Tell A Friend. The first time around, I banned his IP address. This time, I banned the IP address, changed his password, and set his email to mine, so that when he attempts to log in, it will fail, when he tries to reset the password, the request will come to me.

 

I have been using osC reCAPTCHA http://addons.oscommerce.com/info/6306 in my 2.2 store, but forgot to protect Tell A Friend, possibly because it wasn't in the original version. I just resolved that issue today.

 

What alerted me to the problem was that my web host (1&1) sent me a warning message to clean up the addresses in my database, because a large percentage of the addresses I was sending to were invalid. Since I knew I wasn't sending anything, I looked at Who's Online and saw a registered user repeatedly accessing Tell A Friend.

 

--Glen

Share this post


Link to post
Share on other sites

Note that in 2.3.3, the Tell Friend module is protected by Action Recorder, which is set to allow 1 use every 15 minutes.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

As mentioned by others, TAF can be easily abused to send spam. If not protected against bot and/or too-frequent use, it should be disabled for guests. If the link still exists on a product page that a bot is seeing, it will still "click" the link to try to follow it and use TAF, but they shouldn't be able to get any further than that. That is, they can be sitting there on the TAF page but unable to go further -- nothing to worry about. Do you have solid evidence that a bot (guest) is able to actually use TAF even if it's disabled for guests?

Share this post


Link to post
Share on other sites

As mentioned by others, TAF can be easily abused to send spam. If not protected against bot and/or too-frequent use, it should be disabled for guests. If the link still exists on a product page that a bot is seeing, it will still "click" the link to try to follow it and use TAF, but they shouldn't be able to get any further than that. That is, they can be sitting there on the TAF page but unable to go further -- nothing to worry about. Do you have solid evidence that a bot (guest) is able to actually use TAF even if it's disabled for guests?

MrPhil,

 

Not sure which post you are asking for clarification.

I do not have proof it was used successfully. in my whos online I see this url

/tell_a_friend.php?products_id=232&action=process

 

I am assuming it did not work as they never get to this url

/tell_a_friend.php?products_id=232&success

 

I wonder how they get to the page they did get to.... I cannot access that page with my browser, it automatically takes me to the login page, like it should.

 

 

Tim

Share this post


Link to post
Share on other sites

×