Announcement

#1 2018-07-17 09:28:46

ferryman
Member
2018-07-17
1

Phishing potential due dynamic gallery URL

I just received multiple Piwigo 2.9.4 update notifications ("Time has come to update your Piwigo...") which contained interesting links such as "http://monster-hack.su/admin.php?page=updates" and  "http://crackcommunity.com/admin.php?page=updates". I confirmed the messages were really sent by my own Piwigo instance located on a whole different URL.

The reason is most likely a combination of the following:

1) My instance can be called by any random hostname by "spoofing" the DNS name (since it's running under a default website which does not explicitly require a specific DNS name)
2) The mail notification functionality utilizes function get_absolute_root_url which in turn uses a HTTP header value from a browser request.

The result is a little discomforting at least. It gives the impression that the instance has been hacked and it's possible to generate phishing emails by repeatedly calling the gallery by made-up hostname. I'm uncertain what's the best approach here, but there are a few possible solutions:

a) Should all administrators simply fix 1) so that the gallery can only be called by specific hostnames?
b) Or should the base url be set in a more static way than deriving it from a browser request (such as explicitly asking for it when installing)?
c) Or is it perhaps best to remove links from the notification messages altogether?
d) ?

Comments welcome :)

Offline

 

#2 2018-07-17 14:01:50

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13159

Re: Phishing potential due dynamic gallery URL

Hi ferryman,

Thank you for starting this discussion. I had not seen the potential issue here.

I like, very much, the fact that a give Piwigo can be reached from several urls (it makes several operations much simpler).

Removing the link would be a solution, but keep in mind that all emails sent by Piwigo have a link inside, with the same potention issue :-/


Latest blog post (May 3rd 2018) New subscription form

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2018 · Contact