FOSUserBundle icon indicating copy to clipboard operation
FOSUserBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

[Vulnerabilities] Spamtrap

Open peter-gribanov opened this issue 8 years ago • 0 comments

You have a Spamtrap vulnerabilities.

Symfony FOSUserBundle versions:

Actual in Subject from 14 Jan 2012 https://github.com/FriendsOfSymfony/FOSUserBundle/blob/8ae256d75d932a1a4699bbf08bf0866066a620f0/Resources/translations/FOSUserBundle.en.yml#L47

And in body from 16 Apr 2011 or older https://github.com/FriendsOfSymfony/FOSUserBundle/blob/9295012002768344c7a1df22cc37a2d8ecc040e7/Resources/translations/FOSUserBundle.en.yml#L26

Now it is also relevant:

https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/translations/FOSUserBundle.en.yml#L43

This is relevant for many languages: https://github.com/FriendsOfSymfony/FOSUserBundle/blob/8ae256d75d932a1a4699bbf08bf0866066a620f0/Resources/translations/FOSUserBundle.de.yml#L47

https://github.com/FriendsOfSymfony/FOSUserBundle/blob/8ae256d75d932a1a4699bbf08bf0866066a620f0/Resources/translations/FOSUserBundle.fr.yml#L47

https://github.com/FriendsOfSymfony/FOSUserBundle/blob/8ae256d75d932a1a4699bbf08bf0866066a620f0/Resources/translations/FOSUserBundle.ru.yml#L47

Description of the problem including expected versus actual behavior:

Steps to reproduce:

  1. Spammer registered with name 900$ PER DAY HERE www.example.com and email [email protected]

  2. A real user receives a message:

    Subject: Welcome 900$ PER DAY HERE www.example.com!
To: [email protected]
From: "My company" <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8

Hello 900$ PER DAY HERE www.example.com!

To finish activating your account - please visit https://my-domain.com/register/confirm/...

Regards,
the Team.

  3. My domain is banned due to spamming.

PS: Prohibiting the use of spaces in the username is not a solution to the problem.

peter-gribanov avatar Aug 28 '17 09:08 peter-gribanov