Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#121 2007-01-31 11:13:21
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
>ruud
Tks lot for your answer.
Regards,
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
#122 2007-01-31 11:15:08
- adamtal
- Member
- Registered: 2006-09-14
- Posts: 25
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Sorry, but, does anyone have a link to any zem_contact documentation?
this is empty —> http://thresholdstate.com/articles/3717/zem_contact-documentation !
Offline
#123 2007-01-31 12:12:33
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
zem_contact is not the same as zem_contact_reborn, but both have documentation included, see the plugins tab in Textpattern and click the help link there.
Offline
#124 2007-01-31 16:10:46
- adamtal
- Member
- Registered: 2006-09-14
- Posts: 25
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Never noticed the help link… sorry:) thanks!
Offline
#125 2007-02-01 06:25:43
- fbox
- Member
- From: Melbourne
- Registered: 2006-02-18
- Posts: 42
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Hi all,
I’ve just discovered that zem_contact_reborn is a bit easier for spammers to hijack than I thought. It would be great if it could validate input and be set to ignore and escape sequences. Has anyone done work on this?
Offline
#126 2007-02-01 06:39:09
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Luke
I’ve just discovered that zem_contact_reborn is a bit easier for spammers to hijack than I thought.
Are you talking about header injection via one of the textareas? I did some work for the Anonymous File Upload plugin that might be helpful in addressing this…
Ruud would you like me to forward what I have to you?
Last edited by net-carver (2007-02-01 06:41:54)
— Steve
Offline
#127 2007-02-01 07:49:17
- fbox
- Member
- From: Melbourne
- Registered: 2006-02-18
- Posts: 42
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Hello there Steve =)
Yes, email injection into one of the fields. Just trying to find out some helpful specifics now. Slightly amused that this hasn’t been such an obvious problem for ZCR users before…
Offline
#128 2007-02-01 11:03:42
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
fbox and steve… yes, please email me all the information you have, especially if there is a way I can test/reproduce this myself.
As far as I know newlines are filtered from input that is used in the headers, so I wonder what other methods can be used to inject anything in the headers.
Last edited by ruud (2007-02-01 12:49:25)
Offline
#129 2007-02-01 23:17:22
- Logoleptic
- Plugin Author
- From: Kansas, USA
- Registered: 2004-02-29
- Posts: 482
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
ruud wrote:
You mention ‘tabindex’. I’ve already seen someone asking about ‘onchange’ as well. Both can be added externally with a bit of javascript, but that’s probably a lot more work than having them built in, so adding them to the plugin is probably the better approach.
If so, I’d prefer it be an optional attribute. Tabindex can play havoc with accessibility, making it difficult for people that use assistive software to navigate through a page in any kind of logical order.
Offline
#130 2007-02-02 03:11:25
- Logoleptic
- Plugin Author
- From: Kansas, USA
- Registered: 2004-02-29
- Posts: 482
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
ruud wrote:
As far as I know newlines are filtered from input that is used in the headers, so I wonder what other methods can be used to inject anything in the headers.
You might have a look at the exploit-prevention methods used in this contact form script. The code’s a bit messy (at least to the eyes of this “ girl coder “), but the author did quite a bit of research to make it as secure as possible.
It’s not open source, so lifting anything from it wholesale is a no-no. Might be able to provide some guidance, however.
Offline
#131 2007-02-02 05:18:48
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
Ruud
you have mail.
— Steve
Offline
#132 2007-02-02 09:03:55
Re: Plugin: zem_contact_reborn 4.0.3.18 (old version)
tabindex will of course be optional. If not specified it will not show up in the HTML code.
That other contact form… hmm… it doesn’t strip linefeeds and carriage returns from input that is used in headers. It does prevent a few headers from being injected, but it looks like a To: header can still be injected.
Offline