A while back, it was exposed that if using the legacy form submission struts path (e.g. /sendEmail, /submitWebForm, etc), a spammer could remotely invoke the tool and use it to send spam emails to people. While this wasn’t exactly a bug in the strictest sense, it could prove to be a headache for users should their server be targeted.
Enter costarica.com. Thanks to their effort, a patch has been made available (for 1.9) that will force the server check the referring HTTP request against a list of approved server names and IPs. As a result, attempts to access the tool directly will be denied – the tool has to be invoked by a request originating from your site. This has been set up as a plugin for easy installation.
Instructions:
- Edit
conf/plugin.propertiesto include your list of approved hostname (you’ll have to do this each time you add or remove hosts in dotCMS) - Copy the plugin to the
plugins/folder of your dotCMS installation - Shut down dotCMS
- Do an
ant clean-plugins deploy-plugins - Start up dotCMS
[ DOWNLOAD Legacy Form Submission Security Patch 1.0 for dotCMS 1.9 ]
Related posts:
