WordPress.org

Ready to get started?Download WordPress

Forums

Custom Contact Forms
Spam can be sent through CCF (13 posts)

  1. roaima
    Member
    Posted 1 year ago #

    CCF version 5.1.0.1

    I emailed you about this a couple of weeks ago using the address listed on your website but haven't heard anything back.

    I'm loathe to provide too many details here, but suffice it to say there appears to be a way of using any website with your CCF plugin installed to send email to arbitrary addresses.

    How do you want to proceed? Full disclosure or careful analysis?

    Cheers,
    Chris

    http://wordpress.org/extend/plugins/custom-contact-forms/

    [ Please do not bump, that's not permitted here. ]

  2. zerofeel
    Member
    Posted 1 year ago #

    5.1.0.2 has the issue as well. I had 5.1.0.1 and got an email sent to me by someone from spamcop. I then checked my plugins and there was an update to 5.1.0.2 and I updated to it and turned postfix off to monitor the message queues. A few minutes later I had a few thousand emails in my queues. After updating my server more, scanning for rootkits, and looking around for hours I decided to disable the plugin and my queues now remain empty and things seem to be back to normal for the time being. I really enjoy this plugin and hope that the hole is found and patched up.

  3. roaima
    Member
    Posted 1 year ago #

    Well, I know exactly where the problem lies, and it's only reliably fixable by removing some functionality (and the corresponding code). Unfortunately the author neither responds in this forum nor to the advertised email address, nor via the contact form on his website.

    What to do? I suggest mark the plugin as "does not work" until this problem is resolved.

  4. zerofeel
    Member
    Posted 1 year ago #

    That's a real shame since its a great plugin. I have since switched to the secure contact form. I just hope my ip doesn't get blacklisted. I noticed that email gets sent via user 33 www-data and the page sending the email wasn't located on my server. Do you know if the exploit gives the attacker access to the physical system?

  5. roaima
    Member
    Posted 1 year ago #

    I have not conducted a serious review of the code. (What I have done is to prove to myself that the flaw exists, and that was sufficient for me.) However, the exploit that I have discovered does not rely on any access to the underlying system.

  6. sathallrin
    Member
    Posted 1 year ago #

    I noticed the same issue just by reviewing the HTML code generated by the form. There is no way you should use this plugin in it's current state as it acts as turning your web server into an open relay.

  7. roaima
    Member
    Posted 1 year ago #

    Furthermore, the new captcha feature does nothing whatsoever to mitigate the problem. If anything, it makes it worse because people believe that CCF must be safe,

  8. CellaScarpi
    Member
    Posted 1 year ago #

    I have not had this issue. I simply use the Are you human check box. And have never gotten spam.

  9. roaima
    Member
    Posted 1 year ago #

    The "are you human" checkbox is also irrelevant to the problem. CCF can be used to make your website send spam to third parties. As a side-effect you get a copy of every single email, too.

    If the author cared enough to contact me we could get this resolved within hours. I have tried to contact the author using their advertised email address, via their advertised website, via a support ticket, and most recently via a review.

  10. abstraction
    Member
    Posted 1 year ago #

    Is there an update to this problem? Any news would be useful.

  11. roaima
    Member
    Posted 11 months ago #

    Sadly even with version 5.1.0.3 I can still route spam through anyone else's Custom Contact Form. No login required.

  12. laga
    Member
    Posted 8 months ago #

    Thanks for the heads-up. I suggest you disclose the exploit - it took me five minutes to find it and I'm not the smartest guy around.

    It's so obvious, it actually hurt.

  13. Steerpike
    Member
    Posted 7 months ago #

    I second that the exploit should be disclosed -- if it is what I think it is, then it's so obvious that we aren't risking revealing anything to spammers that their botnets can't already detect plain as day. I edited custom-contact-forms-front.php as follows. I'm a PHP novice, so can you let me know if this is enough to secure the form, or is there more to the exploit?

    I replaced:

    $dest_email_array = $this->getDestinationEmailArray($form->form_email);

    with:

    $dest_email_array;

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.