Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Vulnerabilities] Spamtrap #2601

Open
peter-gribanov opened this issue Aug 28, 2017 · 0 comments
Open

[Vulnerabilities] Spamtrap #2601

peter-gribanov opened this issue Aug 28, 2017 · 0 comments

Comments

@peter-gribanov
Copy link

peter-gribanov commented Aug 28, 2017
edited
Loading

You have a Spamtrap vulnerabilities.

Symfony FOSUserBundle versions:

Actual in Subject from 14 Jan 2012

FOSUserBundle/Resources/translations/FOSUserBundle.en.yml

Line 47 in 8ae256d

subject: Welcome %username%!

And in body from 16 Apr 2011 or older

FOSUserBundle/Resources/translations/FOSUserBundle.en.yml

Line 26 in 9295012

user.email.confirmation: "Welcome %username%!\nHello %username%!\n\nTo finish validating your account - please visit %confir\mationUrl%n\nRegards,\n\nthe Team."

Now it is also relevant:

https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/translations/FOSUserBundle.en.yml#L43

This is relevant for many languages:

FOSUserBundle/Resources/translations/FOSUserBundle.de.yml

Line 47 in 8ae256d

Willkommen %username%!

FOSUserBundle/Resources/translations/FOSUserBundle.fr.yml

Line 47 in 8ae256d

Bienvenue %username% !

FOSUserBundle/Resources/translations/FOSUserBundle.ru.yml

Line 47 in 8ae256d

Добро пожаловать %username%!

Description of the problem including expected versus actual behavior:

Steps to reproduce:

  1. Spammer registered with name 900$ PER DAY HERE www.example.com and email [email protected]

  2. A real user receives a message:

    Subject: Welcome 900$ PER DAY HERE www.example.com!
To: [email protected]
From: "My company" <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8

Hello 900$ PER DAY HERE www.example.com!

To finish activating your account - please visit https://my-domain.com/register/confirm/...

Regards,
the Team.

  3. My domain is banned due to spamming.

PS: Prohibiting the use of spaces in the username is not a solution to the problem.
@peter-gribanov peter-gribanov changed the title Spamtrap [Vulnerabilities] [Vulnerabilities] Spamtrap Aug 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peter-gribanov