Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

how do I stop “sendfriend” being used to send spam? 
 
pauld
Member
 
Avatar
Total Posts:  38
Joined:  2008-04-20
Port Melbourne, Australia
 

Hi All,
I have switched this feature off for now, but last night I started to get bounces from various mailservers, this is the log entry;

92.48.124.200 - - [19/Jul/2008:05:48:33 +1000] “POST /sendfriend/product/sendmail/id/7/ HTTP/1.0” 302 - “http://www.alond.com.au/sendfriend/product/send/id/7/” “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311”

They seem to be able to inject text and links into the email.

Is there something I can do to retain this feature, but not have it abused?

Thanks,

Paul

 
Magento Community Magento Community
Magento Community
Magento Community
 
Michae1
Enthusiast
 
Total Posts:  826
Joined:  2007-08-31
 
pauld - 18 July 2008 04:10 PM

They seem to be able to inject text and links into the email.

There’s a “Message” field by default that allows you to put a comment on the product you are sending.

pauld - 18 July 2008 04:10 PM

Is there something I can do to retain this feature, but not have it abused?

You can customize it to either not have message field at all, or to allow this feature only for customers who placed at least one order, etc.

 
Magento Community Magento Community
Magento Community
Magento Community
 
pauld
Member
 
Avatar
Total Posts:  38
Joined:  2008-04-20
Port Melbourne, Australia
 

Doh!

of course there is a message field..... I was thinking of all sorts of SQL injection things etc. etc.

Michael, thanks for replying, I’ll see if I can get rid of the message option, and then re-enable the feature!

Regards,

Paul

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top