Support » Plugins and Hacks » password protection [sic] bypassed;-(

  • Have already suffered an actual ’email injection’ breach because I was unaware that WP-ContactForm v1.1 needed to be updated to v1.4.3 (for WP2.0.1). Bad Behavior v1.2.4 is now also active, it’s currently 412’ing the continuing email injection attempts. MySQL is filling up.

    Hoping to quash the current takeover activities have implemented the password protection [sic] feature on the contact form’s static page. Another static page called ‘password’ shows a simple cryptic clue to the password – ie it’ll stop robots/scripts but not people.

    The logs show nice people going through the password area and on to the contact form.

    The logs show nasty scripts completely ignoring ie bypassing the password area and implementing the POST directly.

    How is this allowed!? More importantly what may I do to defend my WordPress sites?

Viewing 15 replies - 1 through 15 (of 76 total)
  • http_post is how its allowed, and yes, ppl can use http_post from another server. it’s just like any other form that uses http_post.

    I just looked at the sent headers on Ryan’s demo, and I have a suggestion…

    At the very least, in lieu of him implementing some sort of check to make sure its ONLY being called from the domain its installed one (yes that can and ought to be done).. a quick and dirty fix would be a simple referer check:

    RewriteCond %{HTTP_REFERER} "!^*$" [NC]
    RewriteCond %{REQUEST_POST} ".*contact.php$"
    RewriteRule .* - [F]

    Adding that to your .htaccess will prevent someone from using http_post (99.9% of the time) to call the form remotely. They could spoof the referer but its more work that the typical spammer is going to do.

    Like I said, ideally ALL of these scripts should be written to check the referer. I use a secure contact script that does so — it’s not that hard to do


    Btw, this is the the same way most comment spam occurs. Those arent ppl hitting your site; they are scripts, being run from remote servers or boxes, and its simpler to check that referer, and yet its typically not done. I do do it, however.

    Whoami – what secure contact script do you use? Can you link it please? Thanks.

    So the password vector is largely pointless or just simply irrelevant?

    I had already hinted to the WP-ContactForm author about my own perceived need for at least a rudimentary paper trail check…

    Was trying the .htaccess vector but only half got it right.;~/ A moderate improvement to your suggestion would be to use [F,L] and not just [F]. ‘[L]ast’ breaks any further local processing which might otherwise confuse things.

    I’m curious and would like to see your secure contact script too…;~)

    whooami: That .htaccess clause did not work against the criminals nor in my own telnet experiments with and without the Bad Behavior module loaded. I should surely be able to do a simple REFERER check on these POST attempts!? Assistance to effect this would be appreciated as I fear it is a matter of time before they realise or stumble upon a workaround;~/


    it would certainly be easier to help if I knew the page that I was supposed to be helping with. That way EYE can test.

    whooami: Is there a private messaging (eg member to member) facility here on this forum over which I can pass you the details?

    ctown, drop me a note via the contact page on my site @ and i will be more than happy to help 🙂

    whooami: intro now in your (love-mail) box;~)

    whooami – any chance you can link to this so-called secure contact form? Is this a WP plugin?

    coyote: whooami might be busy, she hasn’t yet got in contact. From my own fumblings I have since dropped my use of WP-ContactForm (Ryan seems content to leave blocking to the Bad Behavior plugin); adopted and later dropped my use of the PXS Mail Form which is a WP-ContactForm derivative (the author has not yet responded to either of my entries on his contact blog); and lastly has adopted a seemingly more secure form referenced in another WP thread:
    This *may* be the more secure form to which whooami alludes. I am trying it out at the moment – with and without the Bad Behavior plugin.

    Hi Robert,

    I havent forgot about you — unfortunately my 4 day work schedule is kicking my ***. I did get both emails and will have a look this coming friday. Hopefully, you can have something that works by the middle of my weekend. 🙂

    whooami: Appreciated;~)

    The Custom Contact Me/Us plugin is still a bit twitchy, which seems to reflect its active development, but has appeared to do its stuff so far. However a bunch of remote POSTs were made overnight while this plugin was in operation. Bad Behavior trapped them as similarly it has been doing for the previous pair of plugins.

    Despite my lack of programming experience/knowledge it appears to me that it all might be more to do with how easily the http_post thingummy of WP’s is used/misused rather than the effective security precautions fashioned by any plugin ie WordPress core code?

    For my own part I’ve noticed that the perpetrators seem to be getting tired/bored/disinterested or are running out of IPs. Alternatively perhaps they are pretending to be so for some nefarious purpose being cooked up. I am ensuring that they at least are forced to use fresh IPs on each sortie by locking out those IPs used to attack my sites. Have been doing this for some weeks now and if they ever want to put their heads above the parapet I would like to thank them for helping me to populate my own server’s personal RBL, before blowing their heads off.

    —-best wishes, Robert

    The perpetrating bots are back;~/

    At the moment I have Bad Behaviour offline so I don’t specifically know if it’s the same bunch but, at a guess, it’s the same deviants. The Custom Contact Me/Us plugin is active. I’ve configured it to redirect on success to the home page blindly (OK it’s a bit tough on naive visitors but I’m feeling slightly tough at the moment). As it goes back to the home page when the plugin detects a ‘bad un’ they aren’t getting so much intelligence on each strike wave. Am experimenting with variations on the various .htaccess files.

    Would somebody **PLEASE** fill me in on this http_post mechanism that they have been using so effectively these last few weeks;~| Maybe I can cobble together something to blow up in their faces.

    —-best wishes, Robert

    ive explained in a nutshell what you need to do.. rather than worry about whether or not its a post, do this, for the time being:

    ## Things only called from this server

    RewriteCond %{HTTP_REFERER}"!^*$" [NC]
    RewriteCond %{REQUEST_URI} ".*contact.php$"
    RewriteRule .* - [F]

    Since you said in your email to me that you are running multiple domains, you will need to adjust that accordingly. And remember to fill in the and contact with the real names.

    This will keep anyone from accessing the partcular page without having your site in their referer. This includes http_posts and http_gets.

    if you want to allow another domain to be a referer, you merely add another similar line like so :
    RewriteCond %{HTTP_REFERER}"!^*$" [NC]
    RewriteCond %{HTTP_REFERER}"!^*$" [NC]
    RewriteCond %{REQUEST_URI} ".*contact.php$"
    RewriteRule .* - [F]

    … adding a third would be done the same way.


    as for what I pasted in my first reply, that should work also. however this last bit of code, I know works since its exactly what I use on my own site.

    here is just another idea. Has anyone writing these plugins considered sending the http_post off to another page, rather than posting to $PHP_SELF or _self. Thats another very simple way of obfuscating the actual page that contains the http_post

Viewing 15 replies - 1 through 15 (of 76 total)
  • The topic ‘password protection [sic] bypassed;-(’ is closed to new replies.