Security concerns with "Share List" function

We've recently performed pen tests on our site and several of the flagged issues were related to MyShortList, including XSS and XS request forgery.

The cross-site forgery vulnerability is due to the method used for list sharing. The sent email uses the user's name as the from name along with the global mail from email address as the from email, which allows a user to spoof the site's email domain. This along with the "message" field poses the risk of a user spoofing the site domain and sending a phishing type email that could potentially include a request for a password or other sensitive info. Is there a way to disable the "message" field and replace it with a default message set in admin, and also send the email using the global from name?

The pen test also revealed that there was "insufficient validation of user input that exposes the application to persistent cross site scripting (XSS) vulnerabilities." Here was the recommended solution ...

---

Two effective methods to combat XSS are:
- Contextual output encoding
- Input validation

Please see the below reference for further information:
https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Hi there and thank you for posting!

I'll review your message in detail on Monday morning, and I'll let you know.
In the meantime, please know that we have never faced security issues with our extensions, and that you can completely disable the Send function, or set it to only send to admin.

I'll let you know as soon as possible. 
Thanks again.

Thank you. I found where to disable the "message" field, however, I'm not seeing a way to change the email's from name. Also, is the "Send List Email Pre-text" value suppose to be included in the email? It's not being included in my testing.

Hi again!
Thank you for your posts.

First, let's clarify the Send list feature discussion. This feature allows the admin to select between 3 possible setups. You can either completely disable it, enable sending to admin only, or enable sending the list to users' friends.
The first two points are clearly safe by default. Even if the user tries to "spoof" the sender's name, the recipient is always the site administrator.

Your concern is obviously about the third setup, which is the send to friend functionality.
By default, this functionality only includes 3 fields: Your name, your email and your friend's email.
The first two are required for your users' friends to identify the sender of this message, and the third is the recipient.
Our approach of using the input name as the sender's name, was originally made for recipients to easily recognize the actual origin of this message, and understand that their friend has shared something with them, instead of a random site spamming them. I understand that this approach could cause some misunderstandings, so I will change it in our next update.

The "Send List Email Pre-text" is only used when the "Send Copy to User" option is enabled, and is only included in the Copy message, as you can read in the parameter's description:
(A Short HTML enabled text to include in the email copy sent to the user)

The message field you describe, is a custom field. You can choose which custom fields to allow your users to write in your Send list email. If you have reason to believe that this can be abused, you may not include a message field. It's true that the user can write whatever they want, but they cannot include HTML to create a phising email, and whether URLs will be rendered as links depends on the email client. If you feel this could improve security, maybe we could implement a URL removal filter for custom texts.

Please also keep in mind that you may also include a captcha in your additional fields by writing:
captcha#Captcha

Now, as per the XSS. Do you use Item Variables? Where exactly did you get this vulnerability warning?
Can you please provide some more information?

Thanks again.

Thank you for the response. I'll gather the documentation we have from the penetration test and provide it to you.

-- What file can I modify in the meantime to change the from name to be the global from name?

-- Concerning the text to be included in the email, I thought the tooltip reference to "copy" was referring to copy in the context of "content". I'll look for a language string containing the email body and alter it there.

Great, this will help a lot. Thanks.

To change the sender's name, you can edit file modules/mod_myshortlist/mod_myshortlist.php, line 49. You can write $app->getCfg('fromname') instead of the posted value.

MyShortlist allows for customizations in almost every part of it.
To customize the Send List email, you can create a template override of the file modules/mod_myshortlist/tmpl/default_email_body.php
If you need more information on creating template overrides, you can read here .