0002579: Special usage of "suggest" reveals dbUser and dbHost

ID	Project	Category	View Status	Date Submitted	Last Update

0002579	OXID eShop (all versions)	3.1. Design, GUI, UX	public	2011-03-02 15:50	2011-10-13 16:16

Reporter	tjungcl	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	4.4.7 revision 33396
Fixed in Version	4.5.4 revision 39463

Summary	0002579: Special usage of "suggest" reveals dbUser and dbHost
Description	4.4.7 too: If you dont provide a valid from-emailadress in the suggest form, the receiver will get an suggest-email with default SMTP user and server name (as configured on SMTP server). Version 4.5 validated the from-email adress via javascript. If you disable javascript, you can still submit the suggest-form without a valid from-address. It's quite ugly and could easily be fixed by validating the sender-email-adrdress server-side.
Steps To Reproduce	- configure a valid smtp in your admin - disable javascript in your browser - go to the suggest-form - enter a valid receiver-emailadress and "me" as "sender" email-address. - submit the page - wait for the email -> youll get it from xyz@abc where xyz is your dbUser and abc your dbHost.
Additional Information	$utils = oxUtils::getInstance(); if ( !$utils->isValidEmail($oParams->rec_email) \|\| !$utils->isValidEmail($oParams->send_email) ) { oxUtilsView::getInstance()->addErrorToDisplay( 'SUGGEST_INVALIDMAIL' ); return false; }
Tags	No tags attached.

Theme
Browser	All
PHP Version	any
Database Version	any

tjungcl 2011-03-02 16:00 reporter ~0004166 Last edited: 2011-03-02 16:08	pardon me, its not dbuser and dbhost - it depends on your smtp configuration. It seems, those are the default user and server for sending emails on your smtp. So, information that could also be read in the full email-header. Nevertheless - its quite ugly and could easily be fixed by validating the sender-email-adrdress server-side.

dainius.bigelis 2011-04-01 15:24 reporter ~0004298	Description updated.