i have to tell you, that this horrible thing happened on the site of my client. It gave me a bad reputation because of your module.
Well she send out the email and the email was posted on front page..

WHEN YOU CLICK on READ MORE, the content of that email was shown to every person, email was intended only to special group of my site....
but that is not the worse....the worse is when you clicked on read more.....

all the BCC emails were shown....the whole list of our customers....I mean how can this thing happen????
THat is ridiculous.....so unprofessional....why do you allow this to happen?
I later disabled the option to post it as a node on front page....but showing your contact list to every spammer that clicks that node?

THis is the worse thing I have ever seen and it brings a bad light to Drupal in generalll

I hope you can explain how did this happen?

Comments

sopranos created an issue. See original summary.

interdruper’s picture

interdruper CreditAttribution: interdruper commented
Status: Active » Closed (works as designed)

Please do not blame the module in this way: the module is insecure... only if it is not properly configured and used. Please review:

  • that you really want to publish and promote to the front page the mass contact nodes (admin/structure/types/manage/mass_contact , Publishing options)
  • in the previous case, make sure that the fields Headers and BCC are hidden in the display view modes (admin/structure/types/manage/mass_contact/display)
  • checkout also the module permissions (admin/people/permissions)

So there is no bug in this matter, although probably the above prevention should be highlighted in the module page and/or the README.txt.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented
Title: Very unsecure and dangerous bug on this module » Document insecure and dangerous configurations of this module
Component: Code » Documentation
Category: Bug report » Task
Status: Closed (works as designed) » Active

If it is not documented, then yes, it should be. Reopening and re-categorizing for that.

oadaeh’s picture

oadaeh CreditAttribution: oadaeh at Hook 42 commented
Assigned: Unassigned » oadaeh

I'm working on this.

  • oadaeh committed 9bbccd5 on 7.x-1.x 
    Issue #2805727 by interdruper, oadaeh: Document insecure and dangerous...

  • oadaeh committed ec51654 on 7.x-1.x 
    Issue #2805727 by oadaeh: Placing the information on persmissions before...
oadaeh’s picture

oadaeh CreditAttribution: oadaeh at Hook 42 commented
Status: Active » Fixed

I took @interdruper's text fine-tuned & expanded on it, and committed the changes to the 7.x-1.x branch. I also updated the project documentation at https://www.drupal.org/node/890226.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Michael-IDA’s picture

Michael-IDA CreditAttribution: Michael-IDA at Internet Design Alliance commented

Hmm, can't re-open, but a fresh installation state should not be configured so that it has privacy violation issues.