The automated spam hitting my tickets is now repeatedly changing the original text of some tickets, including the title, even when the ticket was originally created by a logged-in user. This means the text and title of the ticket are lost and have to be re-entered. You seem to have some security problems in your setup. Hopefully this is not affecting files as well. How are these spammers modifying tickets?
Here is an example of a genuine ticket which was changed to spam:
To: "[spacefm:tickets] " <email@example.com> Subject: [spacefm:tickets] #88010 Update French translation Date: Tue, 13 Mar 2012 22:09:58 +0000 Reply-To: "[spacefm:tickets] " <firstname.lastname@example.org> - **summary**: 93795 --> Update French translation - Description has changed: Diff: --- old +++ new @@ -1,1 +1,1 @@ -c, <a href="http://drecustomfightgear.com/index.html">levitra side effects</a>, <a href="http://klinecustoms.com/index.html">250 antabuse cheap generic mg online order</a>, <a href="http://maranathabeach.com/index.html">propecia online</a>, <a href="http://the-leenks.info/index.html">alcohol erythromycin</a>, <a href="http://think-brew.com/index.html">buy elimite permethrin online</a>, <a href="http://nawiclongbeach.org/index.html">plavix efectos</a>, <a href="http://createdby-kat.com/index.html">buy zithromax</a>, +I started updating the French translation. I'll attach the new po file when it will be ready. --- ** [tickets:88010] Update French translation** **Status:** pending **Labels:** 12319 **Created:** Thu Feb 09, 2012 06:36 AM UTC by Jean-Philippe Fleury **Last Updated:** Tue Mar 13, 2012 09:15 PM UTC **Owner:** nobody I started updating the French translation. I'll attach the new po file when it will be ready. --- Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/spacefm/tickets/88010/> To unsubscribe from further messages, please visit <https://sourceforge.net/auth/prefs/>
I tried making an anonymous edit on a ticket on my test project, but I wasn't able to figure out a way to do that. Even granting *anonymous on all the tool permissions (including admin) didn't do the trick.
Perhaps the API is being exploited? Or something else?
Log in to post a comment.