#3889 spam changing original tickets [24816]

unreleased
invalid
nobody
support (446)
General
nobody
2015-02-25
2012-03-14
Chris Tsai
No

https://sourceforge.net/apps/trac/sourceforge/ticket/24816

The automated spam hitting my tickets is now repeatedly changing the original text of some tickets, including the title, even when the ticket was originally created by a logged-in user. This means the text and title of the ticket are lost and have to be re-entered. You seem to have some security problems in your setup. Hopefully this is not affecting files as well. How are these spammers modifying tickets?

The following legitimate tickets have been affected:
https://sourceforge.net/p/spacefm/tickets/88010/
https://sourceforge.net/p/spacefm/tickets/88023/

Here is an example of a genuine ticket which was changed to spam:

To: "[spacefm:tickets] " <88010@tickets.spacefm.p.re.sf.net>
Subject: [spacefm:tickets] #88010 Update French translation
Date: Tue, 13 Mar 2012 22:09:58 +0000
Reply-To: "[spacefm:tickets] " <88010@tickets.spacefm.p.re.sf.net>

- **summary**: 93795 --> Update French translation
- Description has changed:

Diff:

--- old
+++ new
@@ -1,1 +1,1 @@
-c, <a href="http://drecustomfightgear.com/index.html">levitra side effects</a>, <a href="http://klinecustoms.com/index.html">250 antabuse cheap generic mg online order</a>, <a href="http://maranathabeach.com/index.html">propecia online</a>, <a href="http://the-leenks.info/index.html">alcohol erythromycin</a>, <a href="http://think-brew.com/index.html">buy elimite permethrin online</a>, <a href="http://nawiclongbeach.org/index.html">plavix efectos</a>, <a href="http://createdby-kat.com/index.html">buy zithromax</a>,
+I started updating the French translation. I'll attach the new po file when it will be ready.

---

** [tickets:88010] Update French translation**

**Status:** pending
**Labels:** 12319
**Created:** Thu Feb 09, 2012 06:36 AM UTC by Jean-Philippe Fleury
**Last Updated:** Tue Mar 13, 2012 09:15 PM UTC
**Owner:** nobody

I started updating the French translation. I'll attach the new po file when it will be ready.

---

Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/spacefm/tickets/88010/>

To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>

I tried making an anonymous edit on a ticket on my test project, but I wasn't able to figure out a way to do that. Even granting *anonymous on all the tool permissions (including admin) didn't do the trick.

Perhaps the API is being exploited? Or something else?

Discussion

  • Anonymous - 2012-03-14

    Originally by: ignorantguru

    These two tickets are still changing to spam:
    https://sourceforge.net/p/spacefm/tickets/88010/
    https://sourceforge.net/p/spacefm/tickets/88023/

    They change several times a day - I or the original poster keep changing them back. The title and text of the initial posts are changed. The new title is always a 5 digit number, and the spam is always in the form shown above (prescription drug names, etc).

    There are also new spam tickets being added, but today some of them were closed automatically. eg
    https://sourceforge.net/p/spacefm/tickets/88051/
    https://sourceforge.net/p/spacefm/tickets/88049/

    I also cannot edit any entries unless I'm logged in (and I'm the admin), so I don't know how it's being done. I tried changing my password and the user who owns these tickets did the same, but it has had no effect.

     

  • Chris Tsai - 2012-03-14

    I suggest updating your permissions on your tickets tool via Admin -> Tools then under tickets, Permissions, try changing *anonymous -> *authenticated to see if that helps to mitigate this issue while the engineering team investigates this further.

     

  • Chris Tsai - 2012-03-14

    IgnorantGuru:

    After discussing this with the other staff, we believe that while the edit link doesn't show, the *anonymous permission on write is allowing these edits to be made via a script (either regular web forms or an API). My recommendation to you is to change the write permission to only allow *authenticated users.

    I've also logged two follow up tickets:

    [#3891] - showing the edit link to anonymous users when the permissions allow it. So that we can provide better transparency about what's actually possible.
    [#3892] - currently, the write permission handles both new ticket creation, and editing existing tickets. This ticket is to separate out those permissions.

    Regards,
    Chris Tsai, SourceForge.net Support

    PS. if you're wondering, as I did, what the difference is between write and post, the write permission is for creating new tickets/editing tickets (until [#3892] is complete anyway), and post is for comments on existing tickets.

     

    Related

    Tickets: #3891
    Tickets: #3892

  • Chris Tsai - 2012-03-14
    • status: open --> invalid
     

  • Anonymous - 2012-03-15

    Hello there,

    My name is Aly and I would like to know if you would have any interest to have your website here at apache.org promoted as a resource on our blog alychidesign.com ?

    We are in the midst of updating our broken link resources to include current and up to date resources for our readers. Our resource links are manually approved allowing us to mark a link as a do-follow link as well
    .
    If you may be interested please in being included as a resource on our blog, please let me know.

    Thanks,
    Aly

     

    Last edit: Anonymous 2019-03-26

Log in to post a comment.