A while back, it was exposed that if using the legacy form submission struts path (e.g. /sendEmail, /submitWebForm, etc), a spammer could remotely invoke the tool and use it to send spam emails to people. While this wasn’t exactly a bug in the strictest sense, it could prove to be a headache for users should their server be targeted.

Enter costarica.com. Thanks to their effort, a patch has been made available (for 1.9) that will force the server check the referring HTTP request against a list of approved server names and IPs. As a result, attempts to access the tool directly will be denied – the tool has to be invoked by a request originating from your site. This has been set up as a plugin for easy installation.


  1. Edit conf/plugin.properties to include your list of approved hostname (you’ll have to do this each time you add or remove hosts in dotCMS)
  2. Copy the plugin to the plugins/ folder of your dotCMS installation
  3. Shut down dotCMS
  4. Do an ant clean-plugins deploy-plugins
  5. Start up dotCMS

[ DOWNLOAD Legacy Form Submission Security Patch 1.0 for dotCMS 1.9 ]

No comments yet.

Leave a Reply