Developer forum

Forum » CMS - Standard features » SQL Injection emails

SQL Injection emails

E-mail notifications
Martin Bakken Rickmann
Reply
Posted on 03/05/2019 07:56:33

Hi,

One of our solutions just sent 130.000 emails to np@dynamicweb.com with the following in subject:

SQL NP Injection (\w*(?:\%27|\')[\W\s]*(?:\%6F|o|\%4F)(?:\%72|r|(?:\%52))[\W\s]|'[\W\s]*--|'[\W\s]*#)

I removed the domain in the above.

DW version is 8.9.2.21. I've attached a screendump of management center -> web & http -> security.

How can we aviod sending these emails? 

BR/

Martin

 

2019-05-03_07_52_57-Start.png

Replies

 
Nicolai Pedersen
Posted on 05/05/2019 17:21:36
Reply

By NOT having the "Do not ban IPs" set - and find the cause and fix it. It is huge security issue that you have that checkbox set...

In DW9 it will only send a max of 50 mails - but that has not been ported to DW8.

BR Nicolai

 

You must be logged in to post in the forum