Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#121 2007-01-31 11:13:21

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,643
GitHub Twitter

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

>ruud
Tks lot for your answer.
Regards,


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#122 2007-01-31 11:15:08

adamtal
Member
Registered: 2006-09-14
Posts: 25

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Sorry, but, does anyone have a link to any zem_contact documentation?
this is empty —> http://thresholdstate.com/articles/3717/zem_contact-documentation !

Offline

#123 2007-01-31 12:12:33

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

zem_contact is not the same as zem_contact_reborn, but both have documentation included, see the plugins tab in Textpattern and click the help link there.

Offline

#124 2007-01-31 16:10:46

adamtal
Member
Registered: 2006-09-14
Posts: 25

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Never noticed the help link… sorry:) thanks!

Offline

#125 2007-02-01 06:25:43

fbox
Member
From: Melbourne
Registered: 2006-02-18
Posts: 42

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Hi all,

I’ve just discovered that zem_contact_reborn is a bit easier for spammers to hijack than I thought. It would be great if it could validate input and be set to ignore and escape sequences. Has anyone done work on this?

Offline

#126 2007-02-01 06:39:09

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Luke

I’ve just discovered that zem_contact_reborn is a bit easier for spammers to hijack than I thought.

Are you talking about header injection via one of the textareas? I did some work for the Anonymous File Upload plugin that might be helpful in addressing this…

Ruud would you like me to forward what I have to you?

Last edited by net-carver (2007-02-01 06:41:54)


Steve

Offline

#127 2007-02-01 07:49:17

fbox
Member
From: Melbourne
Registered: 2006-02-18
Posts: 42

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Hello there Steve =)

Yes, email injection into one of the fields. Just trying to find out some helpful specifics now. Slightly amused that this hasn’t been such an obvious problem for ZCR users before…

Offline

#128 2007-02-01 11:03:42

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

fbox and steve… yes, please email me all the information you have, especially if there is a way I can test/reproduce this myself.

As far as I know newlines are filtered from input that is used in the headers, so I wonder what other methods can be used to inject anything in the headers.

Last edited by ruud (2007-02-01 12:49:25)

Offline

#129 2007-02-01 23:17:22

Logoleptic
Plugin Author
From: Kansas, USA
Registered: 2004-02-29
Posts: 482

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

ruud wrote:

You mention ‘tabindex’. I’ve already seen someone asking about ‘onchange’ as well. Both can be added externally with a bit of javascript, but that’s probably a lot more work than having them built in, so adding them to the plugin is probably the better approach.

If so, I’d prefer it be an optional attribute. Tabindex can play havoc with accessibility, making it difficult for people that use assistive software to navigate through a page in any kind of logical order.

Offline

#130 2007-02-02 03:11:25

Logoleptic
Plugin Author
From: Kansas, USA
Registered: 2004-02-29
Posts: 482

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

ruud wrote:

As far as I know newlines are filtered from input that is used in the headers, so I wonder what other methods can be used to inject anything in the headers.

You might have a look at the exploit-prevention methods used in this contact form script. The code’s a bit messy (at least to the eyes of this “ girl coder “), but the author did quite a bit of research to make it as secure as possible.

It’s not open source, so lifting anything from it wholesale is a no-no. Might be able to provide some guidance, however.

Offline

#131 2007-02-02 05:18:48

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

Ruud

you have mail.


Steve

Offline

#132 2007-02-02 09:03:55

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)

tabindex will of course be optional. If not specified it will not show up in the HTML code.

That other contact form… hmm… it doesn’t strip linefeeds and carriage returns from input that is used in headers. It does prevent a few headers from being injected, but it looks like a To: header can still be injected.

Offline

Board footer

Powered by FluxBB