PhotoPost Community - View Single Post

Arnie · July 19th, 2005, 10:57 AM

The report tool (reportproduct.php) has no timeout or retriction placed on it, so a user could literally spam the admin's account till the cows come home using their own systems.

I'd suggest that the reportproduct.php script should either only take reports from registered members and then only allow them to send one every 20 seconds or if you have to have public access too that the user's IP is logged and has the same restriction placed upon it. (possibly the flood timeout could be admin controlled too)

It's probably also a good idea to tag the report email with the time, user's IP and browser details for security (standard environment detials).

July 19th, 2005, 10:57 AM	#1 (permalink)
Arnie Member Verified Customer Join Date: Jun 2005 Posts: 179	Report feature DOS(NOT A BUG) The report tool (reportproduct.php) has no timeout or retriction placed on it, so a user could literally spam the admin's account till the cows come home using their own systems. I'd suggest that the reportproduct.php script should either only take reports from registered members and then only allow them to send one every 20 seconds or if you have to have public access too that the user's IP is logged and has the same restriction placed upon it. (possibly the flood timeout could be admin controlled too) It's probably also a good idea to tag the report email with the time, user's IP and browser details for security (standard environment detials).