Idea ID: 2873271

Enhance send mail function security

Wanyee Chin Wanyee Chin
Status : New Idea

During the application test, it was observed that some modules allows user to send email to the other users for update progress, report defects and so on.

E.g.: From User Site:

- Requirements > Requirements > Send by Email
- Testing > Testing Resources > Send by Email
- Testing > Business Components > Send by Email
- Testing > Test Plan > Send by Email
- Testing > Test runs > Send by Email
- Defects > Send by Email

The application doesn't check whether the request is submitted by human or robot, therefore, the request can be replayed.

Malicious users will be able to abuse the function to cause the mail server to overload. This might cause the mail server to overload as the mail server will send an email to the registered user's email address for each particular request if successful.

It is recommended to implement one-time random and unique nonce per request, so that server could verify the POST response is associated with the particular POST request to prevent replay of packet.