Strange OC1 remind password behaviour

mkinternet · September 16, 2024, 8:18am

Yesterday i revcieved about 10 remind password emails. All had the same content except for restore password link:

https://bb.ccc.dddd.ocwebsite.pl/backend/backend/auth/reset/1/8loBDM2vYtrO6JGoornz2oIy7PoqATxiDJCH35oBFJ
https://mail3.ocwebsite.pl/backend/backend/auth/reset/1/LDIvQABYT8ueX0waS6epQaxIcwtvGkyRvsYjgCIyXC
https://mx7.domkinadmorzem.pl/backend/backend/auth/reset/1/0tYkr5xK5f9hG4mcWJmRsshgMC1I7elSBzM4pFFfVS
https://remote.domkinadmorzem.pl/backend/backend/auth/reset/1/CEJRq5aIPEEmRIgY86LPNc1KxR30i6xvTTKIPCqiYq

daft · September 16, 2024, 8:30am

You should change your backend URL to something else, you can do it in the config file.

daft · September 19, 2024, 11:04pm

Additionally, your web server is allowing any hostname to serve its website. This means anyone can point their domain to your server and host your website using their domain.

It is best to restrict your web server to only serve sites from domains that you approve.