Bug #19057
closed
Spam attacks via Standard Mailform
0%
Description
It seems that class.tslib_fe.php could be misused for mass spam attacks again. Even if I delete the form on the Site, Spam is submitted. Also, all Javascript-Checks for required fields were not were not done and selector-boxes were not recognized (no entrys submitted for this).
Here's the text of the received message, unfortunately there's also no information about the sender.
ORGANISATION_FIRMA: tGoHiqVoprTZfI
VORNAME_NAME: Gzzmnlko
ADRESSE: vjGhhdJb
LAND_POSTLEITZAHL_ORT: kegehQRyZxrrd
TELEFON: lrRVnQkGRNJAR
EMAIL: lnnzktal@frpaccew.com
MITTEILUNG:
<a href= http://burp.boinc.dk/view_profile.php?userid=9489 >buy atenolol </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9489]buy atenolol [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9490 >buy lexapro </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9490]buy lexapro [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9491 >buy wellbutrin </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9491]buy wellbutrin [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9492 >buy celexa </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9492]buy celexa [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9493 >buy allegra </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9493]buy allegra [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9494 >buy paxil </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9494]buy paxil [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9495 >buy valtrex </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9495]buy valtrex [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9496 >buy lortab </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9496]buy lortab [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9497 >buy carisoprodol </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9497]buy carisoprodol [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9498 >buy vioxx </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9498]buy vioxx [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9499 >buy avandia </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9499]buy avandia [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9500 >buy gabapentin </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9500]buy gabapentin [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9501 >buy plavix </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9501]buy plavix [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9502 >buy propecia </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9502]buy propecia [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9503 >buy protonix </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9503]buy protonix [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9504 >buy penicillin </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9504]buy penicillin [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9505 >buy yaz </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9505]buy yaz [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9506 >buy benadryl </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9506]buy benadryl [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9507 >buy synthroid </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9507]buy synthroid [/url]
<a href= http://burp.boinc.dk/view_profile.php?userid=9508 >buy tramadol </a>
[url=http://burp.boinc.dk/view_profile.php?userid=9508]buy tramadol [/url]
(issue imported from #M8894)
Updated by Franz Holzinger over 16 years ago
Maybe the spam checker from tt_board should be incorporated here? Or the extension sr_freecap.
Updated by Ivo Frieden over 16 years ago
Hello Franz, thanks for replying. I don't think that a captcha could solve the problem, as the spam is also sent when I delete the entire form?
Updated by Martin Kutschker over 16 years ago
To whom is the mail sent? To the configured address? In this case everything's alright as the built-in checks only prevent the abuse of the site as spam sending server.
Updated by Ivo Frieden over 16 years ago
Hi Martin, Yes, spam is only sent to the configured adress, but i've got dozens of mails every day (in time intervals of 6 or 7 minutes). Even if it is only sent to the configured address, this is a mass spam sending which cames also through with deleted forms. In the statistics, I could see that the thanks-page was hit 230 times a day! This is why I think that class.tslib_fe.php is called directly by a third party mass spam sending application? The sender seems to have give it up for now, but I keep an eye on it.
Updated by Martin Kutschker over 16 years ago
It's strange that you say a deleted form has sent mails, but the quoted messages make me think that the bot took the form for a forum. This kind of spam is typical for forums and guest books.
Maybe there is a bug in the handling of POST data within TYPO3. Possible scenario; the spammer knows how the form is structured and sends multiple POST requests. TYPO3 doesn't check (that's the theory) that the form isn't active any more and handles the submitted data.
Updated by Ivo Frieden over 16 years ago
Yep, you've got it. As forms are often built with same structure, this operation could easy be done and offers a wide range of affected installations. But why no one other has reported until now? Let's keep an eye on it.
Updated by Alexander Opitz over 11 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Ivo Frieden over 11 years ago
I can't reproduce this behaviour, for the reason that I use other extensions to build my forms, as powermail or formhandler. So probably, this issue can be closed.
Updated by Alexander Opitz over 11 years ago
- Status changed from Needs Feedback to Closed
Closed as commented.