I just received multiple Piwigo 2.9.4 update notifications ("Time has come to update your Piwigo...") which contained interesting links such as "http://monster-hack.su/admin.php?page=updates" and "http://crackcommunity.com/admin.php?page=updates". I confirmed the messages were really sent by my own Piwigo instance located on a whole different URL.
The reason is most likely a combination of the following:
1) My instance can be called by any random hostname by "spoofing" the DNS name (since it's running under a default website which does not explicitly require a specific DNS name)
2) The mail notification functionality utilizes function get_absolute_root_url which in turn uses a HTTP header value from a browser request.
The result is a little discomforting at least. It gives the impression that the instance has been hacked and it's possible to generate phishing emails by repeatedly calling the gallery by made-up hostname. I'm uncertain what's the best approach here, but there are a few possible solutions:
a) Should all administrators simply fix 1) so that the gallery can only be called by specific hostnames?
b) Or should the base url be set in a more static way than deriving it from a browser request (such as explicitly asking for it when installing)?
c) Or is it perhaps best to remove links from the notification messages altogether?
d) ?
Comments welcome :)
Offline
Hi ferryman,
Thank you for starting this discussion. I had not seen the potential issue here.
I like, very much, the fact that a give Piwigo can be reached from several urls (it makes several operations much simpler).
Removing the link would be a solution, but keep in mind that all emails sent by Piwigo have a link inside, with the same potention issue :-/
Offline