Plug-in: zem_contact_reborn

thebombsite · 2006-02-09 01:51:06

Hi alannie. It’s not something I normally use but I just tried it over at thebombsite.com and it worked fine. My opening tag was like this:-

<code>
<txp:zem_contact to=“me@mysite.com” thanks_form=“thankyou”></code>
 
The “thankyou” form template was just a simple paragraph – <code>Thanks for your message. I shall get back to you as soon as I can.</code>

Last edited by thebombsite (2006-02-09 01:52:26)

-P- · 2006-02-09 09:12:05

<blockquote> > thebombsite wrote:

> Bots are getting more clever by the minute. I take it the WP plug-in doesn’t have a similar function then. Maybe it’s time to wake the developer up. ;)

We are currently looking at adding a couple of empty “hidden” fields. When the form is sent it will only be accepted if the fields remain empty. If some really clever bot has filled them in… and combine that with a checkbox as well… maybe it will blow itself up.
</blockquote>

I received those actuals spams today my self, sent via contact_reborn, sender address fake address with my domain, princessdom. And after I had added checkbox. It is set to yes there. I´d say this is serious vulnerability and something needs to be done quickly, please.

Last edited by -P- (2006-02-09 09:12:46)

thebombsite · 2006-02-09 09:37:55

Thanks P. It is being worked on. I’m not sure what you meant about the checkbox. Are you saying that who or whatever is sending these has checked it?

-P- · 2006-02-09 09:50:17

Yes, the checkbox has been checked. I guess the who or whatever can/knows how to fill required fields, be it subject field or checkboxes.

Could the solution be flood control, for example only one email in 10 minutes and captcha?

Anyway, this deeply sucks. Not very nice thing to eplain all the people that have contact form on their site…that because of it they suddenly start receiving these new spams. And what is worse, somebody uses their domain in spam email addresses. I just hate internet sometimes.

Last edited by -P- (2006-02-09 10:39:11)

alannie · 2006-02-09 16:07:46

> thebombsite wrote:

> <code> <txp:zem_contact to=“me@mysite.com” thanks_form=“thankyou”></code>

> The “thankyou” form template was just a simple paragraph – <code>Thanks for your message. I shall get back to you as soon as I can.</code>

Thanks for your reply. I have it set up the same way and even tested the thanks form with an <code>txp:output_form</code> tag. I think there may be something wrong with my overall setup, because any error messages get repeated four times. Probably because I have <code>txp:article</code> appearing four times throughout the page. Could that be related to this issue? Is it bad to have more than one instance of that tag? (I use it to output various parts of the article such as title, custom fields, etc. in different places on the page).

Any other ideas for troubleshooting?

neptho · 2006-02-09 16:52:40

Just parsed the thread. Was going to note that my site has always been a bit of a target – but two days after integrating zem_contact_reborn, spammers have been using it to use mime types to circument security.

Here’s a quick little patch I made (note that I’ve only slightly tested it right now – I haven’t had the time to audit the whole plugin):

<pre> foreach ($zem_contact_form as $k => $v) { // ssh_mime_patch_for_zem_contact_reborn if (strpos($v, ‘multipart/mixed’) != FALSE) die(“No, I do not think so.”); $msg[] = $k.’: ‘.htmlspecialchars($v); }
</pre>

This tests for MIME injection. It should probably be a better, global scope, but, as I said, this is just a quick ‘one off’ patch.

Edit: Ugh. I’m tired of editing this to make my code not get chewed up. I’m beginning to detest this forum. I want my BBCode and [code] tags.

—

alannie: There’s something wrong with your form, or your template logic. Make sure you make this template as a “Sticky.”, Mine is just an unlinked static page My thanks template – here’s the section logic:

Section name: thanks
Sectino title: thanks
Uses page: static_page
Uses Style: default
…

And, my static_page template logic:

…
< txp:article limit=1 form=“static_article” status=“sticky” />
…

Last edited by neptho (2006-02-10 08:10:58)

alannie · 2006-02-09 19:26:45

> neptho wrote:

alannie: There’s something wrong with your form, or your template logic. Make sure you make this template as a “Sticky.”, Mine is just an unlinked static page My thanks template

Are you using the <code>redirect</code> attribute instead of the <code>thanks_form</code> attribute?

els · 2006-02-09 20:02:06

neptho wrote:

Here’s a quick little patch I made (note that I’ve only slightly tested it right now – I haven’t had the time to audit the whole plugin):

<pre> foreach ($zem_contact_form as $k => $v) { // ssh_mime_patch_for_zem_contact_reborn

if (strpos($v, ‘multipart/mixed’) != FALSE))

die(“No, I do not think so.”);

$msg[] = $k.’: ‘.htmlspecialchars($v);

}
</pre>

Where should this go? I started recieving those mails as well.

-P- · 2006-02-09 20:23:49

<blockquote>> neptho wrote:

> Just parsed the thread. Was going to note that my site has always been a bit of a target – but two days after integrating zem_contact_reborn, spammers have been using it to use mime types to circument security.

Here’s a quick little patch I made (note that I’ve only slightly tested it right now – I haven’t had the time to audit the whole plugin):

foreach ($zem_contact_form as $k => $v) { // ssh_mime_patch_for_zem_contact_reborn

if (strpos($v, ‘multipart/mixed’) != FALSE)) die(“No, I do not think so.”);

$msg[] = $k.’: ‘.htmlspecialchars($v);

}

This tests for MIME injection. It should probably be a better, global scope, but, as I said, this is just a quick ‘one off’ patch.

</blockquote>

Okay, could i get exact definition and explanation about mime types, where they rely on my server, what they are and how I know they are secure enough. Bit off topic and blondie question, sorry.

I posted about these spam attacts to WP Support forum too since the first spam emails that I got to know about were sent from one of the sites I host and which is running on Wordpress. So surely this thing is not just TXP releated.

Last edited by -P- (2006-02-09 20:27:22)

thebombsite · 2006-02-09 20:26:12

@Els – the top and bottom lines are already in the code. It’s in the “zem_contact” function and appears just above the <code>if ($send_article == ‘yes’)</code> line.

Shall I put this out as a temporary fix until my more knowledgable partners sort something out? I have also fixed the validation problem I mentioned earlier with the “select” output so it might be a useful update.

I feel all left out now that you are all getting this problem. :(

Mind you, just recently I’ve been getting spammed on my GuestBlock. Brain-dead jerk-offs is what I call them. Directly when I can. ;)

@neptho – thanks for the code. Now if you could just explain to me exactly what it is doing please.

thebombsite · 2006-02-09 20:31:57

@alannie – how are you calling the contact form to your page template. Do you have it set up as a form then call it with the <code><txp:output_form /></code> tag?

You will have to explain to me why you have 4 “article” tags on a page. Could you not replace 3 of them with the “article_custom” tag? It isn’t generally recommended to use more than 1 “article” tag though, depending on how your site is set up, it can be done.

alannie · 2006-02-09 20:36:42

> neptho wrote:

There’s something wrong with your form, or your template logic. Make sure you make this template as a “Sticky.”, Mine is just an unlinked static page My thanks template – here’s the section logic:
 Section name: thanks
Sectino title: thanks
Uses page: static_page
Uses Style: default

Neptho, your suggestion gave me another idea – to simply create a separate page template that gets rid of all the extra <code>txp:article</code> tags, and specify that all pages containing a contact form use this template. That resolved the issue. Thanks so much!

thebombsite · 2006-02-09 20:37:36

@ P I don’t think this is either WP/TXP related or plug-in related. It sounds like someone has developed a bot to specifically hit contact forms. How many hits did you get on the TXP site?

Are you using a Captcha plug-in? Did I spot that Sencer had released something somewhere though I think that may have been for comments?

els · 2006-02-09 20:38:40

@Els – the top and bottom lines are already in the code. It’s in the “zem_contact” function and appears just above the <code>if ($send_article == ‘yes’)</code> line.

If I do that:

Parse error: parse error, unexpected ‘)’ in /home/virtual/site87/fst/var/www/html/textpattern/lib/txplib_misc.php(459) : eval()’d code on line 98
The above errors were caused by the plugin:zem_contact_reborn

thebombsite · 2006-02-09 20:48:23

@Els – That says you have too many “)” in there. Let me work it into my test site then I’ll update the template and put a new version out. Give me 30 minutes.

Textpattern CMS

Textpattern CMS support forum

#211 2006-02-09 01:51:06

Re: Plug-in: zem_contact_reborn

#212 2006-02-09 09:12:05

Re: Plug-in: zem_contact_reborn

#213 2006-02-09 09:37:55

Re: Plug-in: zem_contact_reborn

#214 2006-02-09 09:50:17

Re: Plug-in: zem_contact_reborn

#215 2006-02-09 16:07:46

Re: Plug-in: zem_contact_reborn

#216 2006-02-09 16:52:40

Re: Plug-in: zem_contact_reborn

#217 2006-02-09 19:26:45

Re: Plug-in: zem_contact_reborn

#218 2006-02-09 20:02:06

Re: Plug-in: zem_contact_reborn

#219 2006-02-09 20:23:49

Re: Plug-in: zem_contact_reborn

#220 2006-02-09 20:26:12

Re: Plug-in: zem_contact_reborn

#221 2006-02-09 20:31:57

Re: Plug-in: zem_contact_reborn

#222 2006-02-09 20:36:42

Re: Plug-in: zem_contact_reborn

#223 2006-02-09 20:37:36

Re: Plug-in: zem_contact_reborn

#224 2006-02-09 20:38:40

Re: Plug-in: zem_contact_reborn

#225 2006-02-09 20:48:23

Re: Plug-in: zem_contact_reborn

Board footer