Flyspray - The bug killer!

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority High
  • Reported Version 1.0-rc
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Arthmoor - 06.08.2017

FS#2437 - Spammers are able to bypass disabled user registrations

Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

Project Manager
peterdd commented on 10.08.2017 20:14

Do you have access to the webserverlogs? Maybe you identify and isolate the way of the spammers.

E.g. look when the spammer registered and posted spam compared to activity in webserverlog.

Beside possibility of such yet unknown security issue within Flyspray:

Other possibilities

  • site got hacked and backdoor installed (compare github flyspray master source with your web server directory)
  • someone got login credentials of an flyspray admin account, enabled registration, registered new users and posted spam as new users, disabled user registration, logoff ..
Project Manager
peterdd commented on 17.08.2017 22:04

@Arthmoor: Any news?

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing