[ADDRESSED] Contact Form Security - Sql injection & Spam Bots

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
britannia
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Oct 04, 2005 9:02 am

[ADDRESSED] Contact Form Security - Sql injection & Spam Bots

Post by britannia » Tue Oct 04, 2005 9:27 am

Hi All,

I have been concerned lately as a lot of spam have been coming through various forms (contact) on my sites,  I am also worried about sql injection.

With the latest release of Joomla are the forms safe?

Secondly a number of sites are adding "Captcha"images to the forms to stop "bots", though I believe this will cause issues with accessabilities/disabilities and hence the regulations!
Another way I have seen is by asking a simple question - such as add 16+4, (more here), the user enters the answer and sends the form.(See it in action HERE)
I wonder if there is a way to add this to our forms to secure them a little better from "bots" and the spammers! :)

Regards,
Dave ;D
Last edited by stingrey on Thu Jan 12, 2006 11:16 pm, edited 1 time in total.

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Wed Oct 05, 2005 9:22 am

Hey,

I am suffering the same - **** poker idoits generally. I have loads of these!

Can anyone suggest how to stop them! Please!
Tried "Captcha" and does not work!

Thanx

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Fri Oct 07, 2005 3:00 pm

I have been concerned lately as a lot of spam have been coming through various forms (contact) on my sites,  I am also worried about sql injection.

With the latest release of Joomla are the forms safe?
Does anyone have any knowledge of this?
Another way I have seen is by asking a simple question - such as add 16+4, (more here), the user enters the answer and sends the form.(See it in action HERE)
I wonder if there is a way to add this to our forms to secure them a little better from "bots" and the spammers!
Does anyone know how to do this?
Thanks
Dave

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by Websmurf » Fri Oct 07, 2005 3:22 pm

deejayh wrote: Hey,

I am suffering the same - **** poker idoits generally. I have loads of these!

Can anyone suggest how to stop them! Please!
Tried "Captcha" and does not work!

Thanx
Captcha did work for me, well.. it excludes most of them. Sometimes something slips through, but most of it stopped.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Sat Oct 08, 2005 6:08 pm

Thanks for the reply Websmurf,

I really don't want to go down the route of "captcha" as I have a few members with disabilities, and would prefer to have a simple question.

But I also want to know if the forms are safe!
Thanks,
Dave

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by nathandiehl » Mon Oct 10, 2005 4:44 pm

are you using any of joomla!'s email cloaking capabilities?

Is there a reason that the email cloaking won't work for you?
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Mon Oct 10, 2005 5:28 pm

nathandiel,
are you using any of joomla!'s email cloaking capabilities?
Yes
Is there a reason that the email cloaking won't work for you?
I really do not think this has to do with this.
Basically it hides your email addresses from bots.

This problem lies with a Contact Form - Spoofed Form Submissions, either to hit you with spam (mainly about poker sites!) or inject other email addresses to send thousands of spam messages through your site! This can be dire problem as your ISP will close your site down as it is your responsibility! :-*
PROBLEM:
Almost every website has an HTML form for visitors to complete. But how do you know that the person who completed the form did so through your website? That is, how do you make sure that no one has 'spoofed', i.e., 'forged', a form submission?

BACKGROUND INFORMATION: SPOOFING SUBMISSIONS & FORGING REQUESTS
Another site to look at:
securephp.damonkohler.com - Email_Injection
"Captcha" has problems with accessablity!
Really want to know if Joomla forms are ok.
Regards,
Dave

User avatar
Matthew Schultz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Thu Aug 18, 2005 12:46 am
Location: California
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by Matthew Schultz » Wed Oct 12, 2005 8:27 am

What form capablilitys? Theres the new user sign up... The article submission's... Don't know how any of these can suffer from an SQL injection. Are you talking about facile forms? Or something like Ako Comment?
Joomla & Mambo News, Downloads...
www.primakoala.com

britannia
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Oct 04, 2005 9:02 am

Re: Form Security - Sql injection & Spam Bots

Post by britannia » Wed Oct 12, 2005 9:21 am

I believe the standard "contact Form" within **ambo and Joomla.

I know that Akocomment and Akobook had similar injection problems and have now been resolved (I think!).

Dave

User avatar
lpkb
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 159
Joined: Mon Aug 22, 2005 9:44 pm
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by lpkb » Mon Oct 24, 2005 4:23 pm

there's got to be a way (if it doesn't already) to just check the referrer, i would hope. these poker spammers aren't sitting down and typing these or pasting them in on the site, so even the act of checking to see if it comes from the site should cut down most of that.

if that doesn't work, i was wondering if it would be possible to simply declare a variable in PHP (so hidden from the user) in the template file, and then adding a conditional statement to the contact form (again in php, so hidden) which checks to make sure the "password" is correct.

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Mon Oct 24, 2005 5:42 pm

Hi lpkb,

Thanks for the reply. Sounds good to me to have both of them implememnted in the form especially in the coding of Joomla.

Hopefully someone from the Joomla team can have a look at this and build it in!! :)

Cheers,
Dave

User avatar
ausmug
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Sun Sep 18, 2005 9:09 am
Location: Australia

Re: Form Security - Sql injection & Spam Bots

Post by ausmug » Sat Nov 05, 2005 7:06 am

I'm desperate for a solution also. These Poker jerks have bombarded my sites with hundreds of these. It is always via Joomla's Contact Component.

In the admin I switched off the option to send a copy of the email hoping that would help. The problem is all these emails come in saying they are a copy of the contact email. Since I have turned off this option these are obviously being automated elsewhere.

The attacks are so bad they have brought my server down 4 times in the last fortnight. Since these attacks have started I have also found hundreds of entries in blocks in my routers log files like

[Remote Managed] Src IP=64.242.88.10
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.240
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.240

I also tried the Capcha solutions offered but couldn't get them to work with my server.

I am now receiving hundreds of returned emails sent to me by my ISP and this is causing mail filters they run to start blocking my legitamite emails. I'm desperate.

User avatar
Matthew Schultz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Thu Aug 18, 2005 12:46 am
Location: California
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by Matthew Schultz » Sat Nov 05, 2005 7:12 am

I haven't run into this problem (yet) if you can narrow down that its coming from the contact component you can always uninstall it and try something like Contact XTD:

http://developer.joomla.org/sf/projects/contacts_xtd

Might hold it off for a while. My guess is the spammers have automated scripts that find sites using the contacts component. So also using a SEF program to redirect the contact component to another URL might help.
Last edited by Matthew Schultz on Sat Nov 05, 2005 7:14 am, edited 1 time in total.
Joomla & Mambo News, Downloads...
www.primakoala.com

User avatar
ausmug
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Sun Sep 18, 2005 9:09 am
Location: Australia

Re: Form Security - Sql injection & Spam Bots

Post by ausmug » Wed Nov 09, 2005 10:48 am

Being a core component there appears to be no way to actually uninstall contact component other than to physically remove the folder from the server. I did however delete the menu item pointing to this component and created a new menu item pointing to contactxtd instead which I installed. I also changed the SMTP server to use, set up some spam filters and changed the address that the contact mail goes to as well as unticking the setting to stop the copy mail box appearing. Trouble is that it has made absolutely no difference. These spam mails replicated these changes immediately or so dam fast I couldn't notice any quiet spell. The thing is failed mail returned to me says this is a copy of the mail sent yet this has been deactivated.

I don't know if this is related but I notice I can now also no longer access my mass mail function on any of my sites, so now I can't even contact my own members while I can't stop this guy contacting people. Very frustrating.  ???
Matthew Schultz wrote: I haven't run into this problem (yet) if you can narrow down that its coming from the contact component you can always uninstall it and try something like Contact XTD:

http://developer.joomla.org/sf/projects/contacts_xtd

Might hold it off for a while. My guess is the spammers have automated scripts that find sites using the contacts component. So also using a SEF program to redirect the contact component to another URL might help.

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Wed Nov 09, 2005 1:41 pm

ausmug
I did similar to you, though not as thorough! I changed the address of the contact email goes to, to see what would happen - same!
What really bugs me is all the bounced failed messages coming back to me! Still need the failure messages to check on the users registering (still amazes me how many cannot correctly spell their own email address! Though some could be the same idiots trying the system out!). I get on average 50 plus per day apart from 2 or 3 the rest are spam. So each day I get aound 48 spam and 48 corresponding email failures!. Heres some email addresses:
[email protected]
????(various)@poker.net
pokermain@free-[spam].fr
[email protected]
[email protected]
[email protected]
[email protected] forex trading
I wonder if we could change the contact form to check for the name "Poker" (or for other certain words), which will refuse to send it?

I have set up a 400 error system that logs the errors and sends the email to me. Apart from normal errors there are a number of these:
  • http://www......com/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
  • http://www......com/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
Will have to keep at it! :)
Cheers,
Dave

User avatar
lpkb
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 159
Joined: Mon Aug 22, 2005 9:44 pm
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by lpkb » Wed Nov 09, 2005 6:00 pm

is there a way to use javascript to encode a "password" variable in the component, maybe in the same vein as how it encodes email addresses with the cloaking bot, so the crawlers can't access it?

then it would check for the password before sending the emails--so that no one without javascript enabled can send?

User avatar
lpkb
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 159
Joined: Mon Aug 22, 2005 9:44 pm
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by lpkb » Wed Nov 09, 2005 7:24 pm

another thing to consider:

when i set my sites up, I upload Joomla! code with FTP. This (due to the way my host works) results in differing user/group identities between items created inside Joomla! (eg. installed components, files created in MamboXplorer, etc) and the core files.

in order to make some of these things work (eg. contact component) i was forced to set the executable bit.

i am trying an experiment in which i renamed the com_contact folder through my FTP, then recreated it and all the files in it through MamboXplorer (creating directory, then creating all 4 files and cutting/pasting into them).

This allows me not to have the executable bit set and still have it function on the website.

i'm hoping my contact spam will decrease because of this. does this sound feasible or am i barking up the wrong tree?

l.

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Sat Nov 12, 2005 3:27 pm

Right, after loads of investigation I have found the culprit.

Originally on ***bo 4. something version, I added a recommend component from Sakic.
About a year ago I de-installed after numerous upgrades. But After digging through a load of spam over the last few months I found in many of the emails that were bounced back, the following:
free online poker informs you - or even tells you:
free online poker It was Talavera-plasencia-oliver, my disserui and sabec rock-crystal, and my lodgers, after the fashion of the seven-fifteen states ; for he stoop\'d only about a hundred and seventy miles from me. But
---------------------------------------------
Recommend Mambo Component (http://www.sakic.net)
I have now ftp and removed it!! Stopped most (80%) of the spam straight away!

I have now been checking my site and removing by ftp any old stuff which actually does not get removed when you de-install in the backend!

Feels good already! :)
Cheers,
Dave

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Sat Nov 12, 2005 3:35 pm

Spoke a little too soon!! - Still getting loads through the contact form in joomla - same as before:
Is there any way in the contact form to NOT process the form if certain words (such as POKER or ACRODUKE) are entered anywhere on the form??
Please help
Thanks,
Dave

User avatar
ausmug
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Sun Sep 18, 2005 9:09 am
Location: Australia

Re: Form Security - Sql injection & Spam Bots

Post by ausmug » Sat Nov 12, 2005 4:01 pm

Since it is a core component causing this problem I wonder if it's possible if someone from  the development team or some other  experienced member  could chime in with some suggestions. It is exactly the same scumbag causing all of us this grief so there's got to be some way to stop him. ???

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Sat Nov 12, 2005 5:37 pm

spot on ausmug! "scumbag".

Hopefully someone from the dev team can help us add some sort of option in the backend to exclude various words such as "POKER".

Can anyone can help??

Regards,
Dave

User avatar
ausmug
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Sun Sep 18, 2005 9:09 am
Location: Australia

Re: Form Security - Sql injection & Spam Bots

Post by ausmug » Mon Nov 21, 2005 5:30 am

I'm just bumping this issue.

I am receiving nearly a hundred email failure return notices per day from my ISP for spam emails this Poker jerk is sending through my Joomla contact form. I've been busy recommending Joomla to all the other Australian Mac User Groups for their sites , having used Mambo and then Joomla for over 2 years. However if there is no solution for this problem I'm going to have to reconsider recommending it until this issue is addressed.

User avatar
Matthew Schultz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Thu Aug 18, 2005 12:46 am
Location: California
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by Matthew Schultz » Mon Nov 21, 2005 7:49 am

Theres no way to stop this by even using a different mailer for Joomla is there? I mean if you tell Joomla to use sendmail or smtp instead of the PHP mailer I figure you can tell the server to filter the outgoing mail (say only allow the mail to go to the email address in the contact list so at least your the only one getting spammed) Or is the hack just making Joomla an open relay?
Last edited by Matthew Schultz on Mon Nov 21, 2005 7:51 am, edited 1 time in total.
Joomla & Mambo News, Downloads...
www.primakoala.com

User avatar
ausmug
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Sun Sep 18, 2005 9:09 am
Location: Australia

Re: Form Security - Sql injection & Spam Bots

Post by ausmug » Mon Nov 21, 2005 9:26 am

I have Joomla set to use SMTP pointing to my local mail servers SMTP address which authenticates the sending IP is on my network. All mail is then passed on to my ISP's SMTP server but all the returned copies of emails sent by the spammer say using PHP Mailer in the headers. I've swapped from default contact to contact xtd, turned off the copy mail function and even hidden the form interface just showing a single email address that is hidden by the anti spam bot. I've done everything possible yet this guy uses my server with total freedom.

I've been developing sites since '93, been running my own servers with nearly a dozen sites since around 2000 all without any problems with spammers yet this Joomla install seems to be totaly open to abuse. I just want Joomla to stop being the weak point in my networks security.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: Form Security - Sql injection & Spam Bots

Post by davidrrm » Mon Nov 21, 2005 2:09 pm

Just looking briefly at com_contact, there are a number of issues with it. I've removed the files from my Mambo installations (I'm planning on upgrading to Joomla! in December) because I don't use it, and I can't have people sending random email from my system.

Here are the changes I'd suggest to com_contact (and if I wasn't swamped this month, I'd make them myself)

The "email myself" option needs to be checked when it's time to send email. Just relying on the value being returned correctly is dangerous (never, never trust data coming from the user). This is a nice door for spammers to send emails to whomever they want using your machine.
I think IP addresses should be logged and users not allowed to send email more than a few times every five minutes (perhaps that would be a configurable option).
We could think of implementing something like WP-Hashcash to ensure that the user is a real user (though that may be overkill).

I'm sure others would have some good ideas too.
If the spammer is coming from just a couple IP addresses, you could block them with .htaccess from your entire site. I'd suggest removing the com_contact folder if you don't need it.

deejayh
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Sep 19, 2005 9:06 pm

Re: Form Security - Sql injection & Spam Bots

Post by deejayh » Mon Nov 21, 2005 4:22 pm

Can we add something to the form that will refuse to send it if various "banned" words are used - ie: if POKER was typed in by someone the form would be refused?

Can some developer have a look at this for us please. I am hearing more and more people complaining about Joomla forms being suspect. I have had my host warn me, so I have had to take any sort of contact form down!

Help!!
Dave

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: Form Security - Sql injection & Spam Bots

Post by davidrrm » Mon Nov 21, 2005 4:36 pm

That would be possible, but would probably not provide as much protection as you'd like. If you've watch the ever-changing nature of spam, you'll notice that as soon as people try to look at specific words (like Poker) you'll get people being creative (P0ker or P*o*k*e*r), the possibilities seem to be endless.

vanwel
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Nov 30, 2005 12:53 pm

Re: Form Security - Sql injection & Spam Bots

Post by vanwel » Wed Nov 30, 2005 12:54 pm

Anybody with ideas? I need a solution fast, because my provider wants to take my site offline!

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1380
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Form Security - Sql injection & Spam Bots

Post by louis.landry » Wed Nov 30, 2005 1:26 pm

Going to look into this...
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

vanwel
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Nov 30, 2005 12:53 pm

Re: Form Security - Sql injection & Spam Bots

Post by vanwel » Wed Nov 30, 2005 1:28 pm

Thanks,

Hope you can come with something good. I'm in deep sh*t.

Have to add that my problem is with the sendenquiry form from Hot Property. But maybe I can just copy/paste the Contact Form solution to the HP form...


Locked

Return to “Security - 1.0.x”