The tellfriend.php script could be viewed as a security issue. There are no checks in it as it ships with Dolphin and one does not need to be logged in to use it to send an email. Imagine a scenario where bots hit the tellfriend.php script over and over sending out emails to other spammers that they have found a Dolphin site. Yes, the script only sends out one email at a time but what if a bot exists that once it finds the tellfriend.php script it can hit it over and over adding a new email each time. Or, it simply sends one email to a spamming list that adds your Dolphin URL to the list?
The script should only be available to logged in members of your site; as it currently exists, anyone visiting the site can send out an invite. To test, log out of your site and as a guest, click on the tellfriend link and see if you get to send out an email with your site URL.
Geeks, making the world a better place |
Yes! I mentioned this before and no one listened. If a spammer wants to make your company look bad, they can use tell friend to spam random people so google and other search engines will see you as a spam site and screw up your internet presence. I definitely disabled tell friend as soon as I installed dolphin. |
If I had a competitor that was taking my customers from my business, I would pay someone to create a spam bot to attack their tell friend. |
i removed my tellfriend from the bottom, and created a link in the navigation bar that is only viewable to certain membership types. caredesign.net |
Imagine a scenario where bots hit the tellfriend.php script over and over sending out emails to other spammers that they have found a Dolphin site.
OK, GG so you seen my post. lol
I deleted because I thought it was something else, and no message box pops up.
I am using the systems as a guest, I'm not able to send any kind of message..
I also have the BotStop module, so they hit the site twice and are blocked if anything.
ManOfTeal.COM a Proud UNA site, six years running strong! |
It's easy to fix if you want it fixed.
Edit tellfriend.php
Look for this at about line 22
$_page['header_text'] = _t("_Tell a friend");
Add this directly under it.
member_auth();
https://www.deanbassett.com |
I also edited the tellfriend.php for a site I helped with and added tokens to the email that is sent out and the tokens expire after a certain amount of time. The tokens can only be used once. Geeks, making the world a better place |
That was one of the first things i removed from my site completely. Any member can use this script to send out mass emails. For me there is not difference it is a guest or a member, spammers also register. Check my GeoDistance, Watermark, TorBlock and Android Push Notifications mods | http://goo.gl/H3Vp81 |
I hate this feature, not because of security reason. Is it safe to delete tellfriend.php? |
I just deleted the file and removed any references in the db and code to it. Also check out thrid party modules, they might refer to it. (did it on 7.0.9) Check my GeoDistance, Watermark, TorBlock and Android Push Notifications mods | http://goo.gl/H3Vp81 |
