Flyspray - The bug killer!

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority High
  • Reported Version 1.0-rc
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Arthmoor - 06.08.2017

FS#2437 - Spammers are able to bypass disabled user registrations

Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

Project Manager
peterdd commented on 10.08.2017 20:14

Do you have access to the webserverlogs? Maybe you identify and isolate the way of the spammers.

E.g. look when the spammer registered and posted spam compared to activity in webserverlog.

Beside possibility of such yet unknown security issue within Flyspray:

Other possibilities

  • site got hacked and backdoor installed (compare github flyspray master source with your web server directory)
  • someone got login credentials of an flyspray admin account, enabled registration, registered new users and posted spam as new users, disabled user registration, logoff ..
Project Manager
peterdd commented on 17.08.2017 22:04

@Arthmoor: Any news?

Arthmoor commented on 28.08.2017 00:45

I do have access to the logs but I was not able to determine how they're gaining access. Only that the registrations table was collecting data when that should not be possible since the setting to allow registrations is disabled.

There's nothing to indicate a site hack, and IMO if that had happened I would have to assume they'd be far more interested in the server itself than being content to spam the tracker. There's also no evidence of a compromised admin account.

I'm not sure how much more help I can be at this point either. I've decided to go ahead with old plans to write a tracker myself. It may not be as fancy as what's here, but it'll have up to date spam protection and password encryption, which is something our users value more than the little conveniences.

Project Manager
peterdd commented on 09.10.2017 00:50

Flyspray 1.0-rc6 released.

Although I don't think they fix your register spam issue, there are several security fixes in this rc6 release and hardening like locking the whole vendor/ dir from sniffing.

Other ideas to locate problem:

  1. Do you have/had LDAP or OAuth enabled/configured in your installation?
  2. How are that spam registrations look like ( see ?do=reports&project=0 )
  3. What is the output of
show create database yourflyspraydb;

and

use yourflyspraydb;
show create table flyspray_users;

@Arthmoor: Sad to hear but understandable. Have not forgotten the bcrypt stuff, not got enough time for that and pullrequest must be compatible with existing installs.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing