/wws/renewpasswd can generate nuisance messages #1076
Labels
Milestone
Comments
dpc22
changed the title
|
Another alternative to CAPTCHAS: https://advent.perldancer.org/2018/21 |
|
Hi @dpc22 , Could you please apply this patch to check if it will get rid of attackers? |
|
Yes, I think that will work nicely. Thank you. |
|
@dpc22 , thanks for reporting bug and confirming fix! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behaviour
Automated scripts should not be able to send email messages to random recipients using the wwsympa .../renewpasswd link.
Current Behaviour
This is possible. While the content is fixed (see attached example) it has the potential to cause nuisance or confusion.
Example.txt
Possible Solution
Mailman can use a CAPCHA to protect the equivalent function. Alternately some form of rate limit on renewpasswd requests?
I found #492, but that doesn't protect against scripts attacking renewpasswd directly
Context
I received a couple of hundred bounce messages over the weekend from attempts to send password renewals to the invalid address sample@email.tst. There were also lots of SQL insertion attacks from the same source IP address in a very short interval, so obviously some form of script.
The text was updated successfully, but these errors were encountered: