easy spam exploitation of "tell a friend" feature?

[hayden]

Ok, firstly i love the cart and have been a fan and developer of it for some time.

Problem: disabling "tell a friend" from the admin section merely hides the buttons to access the form.

anyone with the most basic understanding of zencart and url's can easily find or have bookmarked the url to access it:

index.php?main_page=tell_a_friend&products_id=57

so there was no way for me to stop a spammer who had been using scripting to send 1000's of email a day through my customers site via this function/form but to,

Quick fix: edit the modules header php file to throw error always, and comment out modules template html.

Proper fix: make the setting in the admin section which hides the buttons/sideboxes to access the forms actually disable the function/form which sends the emails.

thanks guys,

Hayden.

[DrByte]

In the meantime, v1.3.9 introduced throttling to minimize the ability to "send 1000's of email a day".

[g1smd]

I am going to take a look to see if there is a simple way to alter the script so that the function when disabled in Admin can return a proper HTTP/1.1 404 Not Found header and error message on any and all access attempts.

For the moment, a simple .htacess fix can be implemented using:

Code:

# ErrorDocument 404
ErrorDocument 404 /index.php?main_page=page_not_found

# Rewrite requests for 'tell a friend' to a non-existent internal path
# The rewrite triggers Apache to send a 404 header and 404 error page.
RewriteCond %{QUERY_STRING} main_page=tell_a_friend
RewriteRule ^(index.php)?$ /path-does-not-exist [L]

Rewrites must always be listed after any and all redirects.

[DrByte]

If you just delete or rename the /includes/modules/pages/tell_a_friend/ folder, that will automatically trigger the built-in Not-Found functionality, which will redirect to the main_page=page_not_found if you've got it configured to do that in Admin->Configuration->My Store.
No need to touch .htaccess