View Issue Details

IDProjectCategoryView StatusLast Update
0002579OXID eShop (all versions)3.1. Design, GUI, UXpublic2011-10-13 16:16
Reportertjungcl 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.4.7 revision 33396 
Target VersionFixed in Version4.5.4 revision 39463 
Summary0002579: Special usage of "suggest" reveals dbUser and dbHost
Description4.4.7 too:

If you dont provide a valid from-emailadress in the suggest form, the receiver will get an suggest-email with default SMTP user and server name (as configured on SMTP server).
Version 4.5 validated the from-email adress via javascript. If you disable javascript, you can still submit the suggest-form without a valid from-address.

It's quite ugly and could easily be fixed by validating the sender-email-adrdress server-side.

Steps To Reproduce- configure a valid smtp in your admin
- disable javascript in your browser
- go to the suggest-form
- enter a valid receiver-emailadress and "me" as "sender" email-address.
- submit the page
- wait for the email -> youll get it from [email protected] where xyz is your dbUser and abc your dbHost.

Additional Information$utils = oxUtils::getInstance();
        if ( !$utils->isValidEmail($oParams->rec_email) || !$utils->isValidEmail($oParams->send_email) ) {
            oxUtilsView::getInstance()->addErrorToDisplay( 'SUGGEST_INVALIDMAIL' );
            return false;
        }
TagsNo tags attached.
Theme
BrowserAll
PHP Versionany
Database Versionany

Activities

tjungcl

2011-03-02 16:00

reporter   ~0004166

Last edited: 2011-03-02 16:08

View 2 revisions

pardon me, its not dbuser and dbhost - it depends on your smtp configuration.

It seems, those are the default user and server for sending emails on your smtp.
So, information that could also be read in the full email-header.

Nevertheless - its quite ugly and could easily be fixed by validating the sender-email-adrdress server-side.

dainius.bigelis

2011-04-01 15:24

reporter   ~0004298

Description updated.