roaima
Forum Replies Created
-
That’s amazingly fast work, thank you!
Yes, treating each site separately would be perfect. (Is that an option I missed during installation?)
Thanks!
- This reply was modified 2 years, 2 months ago by roaima.
Going to https://www.harrogateitconsulting.uk/wp-json/wp/v2/posts gets me an empty
[]with HTTP/1.1 status 200 OK (I don’t have posts, just pages).Is that correct?
More discovery. It’s two specific clauses in
burst-statistics/functions.phpthat return the network hostname if it’s a network installation.Commenting these out makes the code work here.
Why have it at all?
Forum: Reviews
In reply to: [Custom Contact Forms] Spam gateway – do not use "as-is"The captcha, recaptcha, whatever is completely irrelevant. The HTML code that is generated by the form makes it trivial for a third party to send email through your mailer. This completely bypasses the validation.
Want an example? Let me know your WordPress contact page and an (obfuscated) target email address I should hit, and I’ll demonstrate.
Sigh.
Sadly even with version 5.1.0.3 I can still route spam through anyone else’s Custom Contact Form. No login required.
Forum: Reviews
In reply to: [Custom Contact Forms] Spam gateway – do not use "as-is"Sadly even with version 5.1.0.3 I can still route spam through anyone else’s Custom Contact Forms. No login required.
The “are you human” checkbox is also irrelevant to the problem. CCF can be used to make your website send spam to third parties. As a side-effect you get a copy of every single email, too.
If the author cared enough to contact me we could get this resolved within hours. I have tried to contact the author using their advertised email address, via their advertised website, via a support ticket, and most recently via a review.
Forum: Reviews
In reply to: [Custom Contact Forms] Spam gateway – do not use "as-is"The recaptcha does nothing whatsoever to mitigate the problem. CCF is still a Spam gateway.
Furthermore, the new captcha feature does nothing whatsoever to mitigate the problem. If anything, it makes it worse because people believe that CCF must be safe,
I have not conducted a serious review of the code. (What I have done is to prove to myself that the flaw exists, and that was sufficient for me.) However, the exploit that I have discovered does not rely on any access to the underlying system.
Well, I know exactly where the problem lies, and it’s only reliably fixable by removing some functionality (and the corresponding code). Unfortunately the author neither responds in this forum nor to the advertised email address, nor via the contact form on his website.
What to do? I suggest mark the plugin as “does not work” until this problem is resolved.