Welcome to Squishdot Squishdot How-To Websites Newbies
 post article
 Mailing Lists
 Bug Tracking


Small Spam Vulnerability in Squishdot
Squishdot Posted by Chris Withers on Thursday February 09, 06:48PM, 2006
from the hmmm-well-yeah-I-guess-sigh-sigh dept.
Garikoitz Araolaza reported some problems he was having with his Squishdot sites being used to send spam. This article contains a fix...

The basic problem is one of Squishdot's mail_html templating being used to generate the stream sent to the SMTP server. As a result, that stream contained data supplied in the posting that wasn't being adequately cleansed.

The file attached to this article solves this problem and should be used to replace the distributed version.

In addition, all instantiated Squishdot sites should have their mail_html templates fixed. If you haven't changed this template, just replace it with the contents on the attached file.

If you have, it's the first four lines that need to be carefully checked.

NB: You will not have been sending any spam unless you've noticed a load of weird postings to any of your Squishdot sites that contain what look like SMTP headers in the 'email' or 'title' field.

If you have any questions, comments or can still find a way to send spam with Squishdot, please ask away...



Posting Temporarilly Disabled :-( | Jumped to Zope 2.8.4, Problem with Linux Medical News  >


Related Links
  • Articles on Squishdot
  • Also by Chris Withers
  • Contact author
  • File Attachment
  • Click to download attachment Squishdot_mail_html.dtml
    0KB (787 bytes)

  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Will there be another Squishdot release?
    by Toni Andjelkovic on Saturday April 08, 02:03PM, 2006
    Hi Chris,

    will there ever be an updated version of Squishdot? The most recent version is from 2003, which is quite old considering the amount of changes that happened in Zope. Also, Squishdot won't run on 2.8.4 without some nasty patching AFAIK.

    [ Reply to this ]
    • Only if someone really wants it ;-)
      by Chris Withers on Monday April 10, 05:57PM, 2006
      Well, there have been plenty of changes in Zope, but Squishdot has been robust enough that it's not been affected by those changes so far!

      The patches for 2.8.4 aren't so nasty. Try with Zope 2.9, you might not even need them.

      I'm going to be moving my production instance onto Zope 2.9 soon, so if there really is a need, there will be a release then...


      [ Reply to this ]

    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Powered by Zope  Squishdot Powered
      "Any system that depends on reliability is unreliable." -- Nogg's Postulate
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©1999 Butch Landingin, ©2000-2002 Chris Withers.