grav-plugin-form icon indicating copy to clipboard operation
grav-plugin-form copied to clipboard

Published 20 hours ago verified publisher icon getgrav

Email form invisibly allows spam by default

Open zyphlar opened this issue 7 months ago • 4 comments

Using v1.7.42.3 -Admin v1.10.43 I discover that my site (and email server) have been sending out tons of spam without me realizing.

Problem 1: the default destination email address is something like [email protected] so without digging into settings I've been missing any contact form submissions this entire time. Also, the spam problem has persisted this entire time without me realizing.

Problem 2: the user is somehow able to customize the "To" field as well as the message content, which means they're able to send spam to strangers.

Problem 3: There are CAPTCHA settings in the Form plugin but it's not immediately obvious how to actually enable them, so my solution is to just disable the contact form and tell people to email me instead.

Problem 4: All of this is the default behavior of Grav, and in the ten minutes it took me to write this email I got 5 spam messages, so it's obvious that spammers know about this weakness and are actively exploiting it.

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: by example.com (Postfix, from userid 997)
	id 02B2F60C64; Thu, 11 Jan 2024 02:09:15 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by example.com (Postfix) with SMTP id EF4A260C60;
	Thu, 11 Jan 2024 02:09:15 +0000 (UTC)
From: [email protected]
To: [email protected], [email protected]
Subject: [Contact] =?utf-8?Q?=F0=9F=92=B3?= BAM 83764.62p:
 https://www.evil-website.example.co.uk/uploads/go.php?2cq0
 =?utf-8?Q?=F0=9F=92=B3?=
Message-ID: <[email protected]>
MIME-Version: 1.0
Date: Thu, 11 Jan 2024 02:09:15 +0000
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable



   =20
                                                              =
      <div>
                                                            <=
strong>Name</strong>:
                           =20
                    =
                                                                           =
                                                                           =
  =F0=9F=92=B3 BAM 83764.62p: https://www.evil-website.example.co.uk/uploads/go.ph=
p?2cq0 =F0=9F=92=B3
                                                     =
                                                                   </div>=

                                                                        =
                                                    <div>
               =
                                             <strong>Email</strong>:
    =
                       =20
                                                =
                                                                           =
                                                 [email protected]
       =
                                                                           =
                                      </div>
                            =
                                                                           =
                     <div>
                                              =
              <strong>Message</strong>:
                           =20
  =
                                                                           =
                                                                           =
                    fokerv
                                              =
                                                                          <=
/div>
                                                           =20

zyphlar avatar Jan 11 '24 02:01 zyphlar