Hi,
First let me thank you for a very well written
software. I would like to point out a problem that I'm
experiencing that I was able to even make it work with
your demo nocc version. The exploit is very easy:
Here's what I had to type:
http://nocc.sourceforge.net/demo/action.php?
action=aff_mail&mail=14&sort=1&sortdir=1&lang=en
and this will give small error but fully functional
web page with write/reply/ and stuff. Now, my real
concern is that with this bug, anyone who sends this
url or similar one the unauthenticated user can send
mail to anyone in the world without a single trace
back to whom he was. I am really put off with this
fact and I was hoping that the latest version 0.9.4
have addressed that problem but to my dismay it was
not so here I am reporting it. What I'd like to see
implemented is that in the case an Unauthenticated
user sends this kind of url he will be denied access.
Can you please do that ASAP. It's really important.
I will be keeping an eye on this thread. I will not
leave my email address for security reasons.
boshab
Logged In: YES
user_id=82865
Fixed in CVS version.
Could you confirm the bug is fixed by downloading the
latest version available at
http://nocc.sourceforge.net/download
Thanks