FS#2437 : Spammers are able to bypass disabled user registrations

Status Closed
Percent Complete
0%
Task Type Bug Report
Category Backend/Core
Assigned To No-one
Operating System All
Severity Critical
Priority High
Reported Version 1.0-rc
Due in Version Undecided
Due Date Undecided
Votes
Private

Attached to Project: Flyspray
Opened by Arthmoor - 06.08.2017
Last edited by peterdd - 25.06.2019

FS#2437 - Spammers are able to bypass disabled user registrations

Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

Closed by peterdd
25.06.2019 14:06
Reason for closing: No customer feedback

Comments (5)
Related Tasks (1/0)

peterdd commented on 10.08.2017 20:14

Do you have access to the webserverlogs? Maybe you identify and isolate the way of the spammers.

E.g. look when the spammer registered and posted spam compared to activity in webserverlog.

Beside possibility of such yet unknown security issue within Flyspray:

Other possibilities

site got hacked and backdoor installed (compare github flyspray master source with your web server directory)
someone got login credentials of an flyspray admin account, enabled registration, registered new users and posted spam as new users, disabled user registration, logoff ..

peterdd commented on 17.08.2017 22:04

@Arthmoor: Any news?

Arthmoor commented on 28.08.2017 00:45

I do have access to the logs but I was not able to determine how they're gaining access. Only that the registrations table was collecting data when that should not be possible since the setting to allow registrations is disabled.

There's nothing to indicate a site hack, and IMO if that had happened I would have to assume they'd be far more interested in the server itself than being content to spam the tracker. There's also no evidence of a compromised admin account.

I'm not sure how much more help I can be at this point either. I've decided to go ahead with old plans to write a tracker myself. It may not be as fancy as what's here, but it'll have up to date spam protection and password encryption, which is something our users value more than the little conveniences.

peterdd commented on 09.10.2017 00:50

Flyspray 1.0-rc6 released.

Although I don't think they fix your register spam issue, there are several security fixes in this rc6 release and hardening like locking the whole vendor/ dir from sniffing.

	Tasks related to this task (1)
	FS#2528 - New user registration doesn't check for duplicate usernames

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task