Welcome to Squishdot Websites Squishdot How-To
 about
 search
 post article
 Documentation
 Mailing Lists
 Bug Tracking
 Development
 Installation
 Upgrading
 Download
 admin
 rdf

 main
Small Spam Vulnerability in Squishdot
Squishdot Posted by on Thursday February 09, 06:48PM, 2006
from the hmmm-well-yeah-I-guess-sigh-sigh dept.
Garikoitz Araolaza reported some problems he was having with his Squishdot sites being used to send spam. This article contains a fix...

The basic problem is one of Squishdot's mail_html templating being used to generate the stream sent to the SMTP server. As a result, that stream contained data supplied in the posting that wasn't being adequately cleansed.

The file attached to this article solves this problem and should be used to replace the distributed version.

In addition, all instantiated Squishdot sites should have their mail_html templates fixed. If you haven't changed this template, just replace it with the contents on the attached file.

If you have, it's the first four lines that need to be carefully checked.

NB: You will not have been sending any spam unless you've noticed a load of weird postings to any of your Squishdot sites that contain what look like SMTP headers in the 'email' or 'title' field.

If you have any questions, comments or can still find a way to send spam with Squishdot, please ask away...

cheers,

Chris

<  |  >

 
Related Links

File Attachment
  • Click to download attachment Squishdot_mail_html.dtml
    0KB (787 bytes)
The Fine Print: The following comments are owned by whoever posted them.
( Reply )
Will there be another Squishdot release?
by on Saturday April 08, 02:03PM, 2006
Hi Chris,

will there ever be an updated version of Squishdot? The most recent version is from 2003, which is quite old considering the amount of changes that happened in Zope. Also, Squishdot won't run on 2.8.4 without some nasty patching AFAIK.

Cheers,
Toni
[ Reply to this ]
  • Only if someone really wants it ;-)
    by on Monday April 10, 05:57PM, 2006
    Well, there have been plenty of changes in Zope, but Squishdot has been robust enough that it's not been affected by those changes so far!

    The patches for 2.8.4 aren't so nasty. Try with Zope 2.9, you might not even need them.

    I'm going to be moving my production instance onto Zope 2.9 soon, so if there really is a need, there will be a release then...

    cheers,

    Chris
    [ Reply to this ]
    • Re: Only if someone really wants it ;-)
      by on Monday March 12, 04:07PM, 2007
      I have not been able to get Squishdot to work in Zope 2.9. Will try the patch for 2.8.4 and see what happens.
      [ Reply to this ]
      • Squishdot works fine with 2.9.3
        by on Monday March 12, 04:17PM, 2007
        Hi there,

        Do lemme know what problems, specifically, you're having...

        Squishdot.org runs on a Zope 2.9.3 and uses the version available from SourceForge:

        http://squishdot.svn.sourceforge.net/viewvc/squishdot/Squishdot/trunk/

        I suppose I should really do a release at some stage...

        Chris
        [ Reply to this ]

 
The Fine Print: The following comments are owned by whoever posted them.
( Reply )
Powered by Zope  Squishdot Powered 		  "Any system that depends on reliability is unreliable." -- Nogg's Postulate
All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©1999 , ©2000-2002 .