VirtueMart Forum

VirtueMart General => About VirtueMart - not for support posts => Topic started by: Misko on July 01, 2010, 11:42:42 AM

Title: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: Misko on July 01, 2010, 11:42:42 AM
I was watching my log files today and I found this:
index.php?page=shop.recommend&product_id=5&pop=1&tmpl=component&option=com_virtuemart&Itemid=4&vmcchk=1&Itemid=4

if you open this link you will get a from with all fields emtpy and ready to use
from:
to:
subject:
body:

If you fill them and click' submit, you can send a message to any e-mail address you want. I think this is a big security issue. It means that my site can be used as spam gateway without big effort.
I've searched a config option to turn off this feature but I couldn't find it.
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: jenkinhill on July 01, 2010, 21:10:56 PM
Since this could be abused there is certainly a switch in VirtueMart. In VM Admin Configuration/Site/Display/Show the "Recommend to a friend" link?
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: Misko on July 02, 2010, 23:18:22 PM
In this way you can hide the link on the page but if you use a link I posted (which I found in my log files, not as referr but as direct) attacker could exploit this weaknes.

I'm afraid that spamers now use google to find all sites with VM installed.
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: PolishedGeek on July 14, 2010, 08:05:39 AM
We tested this out upon reading this, and found that yes, even without the Recommend to a Friend enabled, spammers could still generate that page by using a page=shop.recommend string.

Here's how we patched the vulnerability on our sites:

Edit <Joomla
root>/administrator/components/com_virtuemart/html/shop.recommend.php

Right under

if( !defined( '_VALID_MOS' ) && !defined( '_JEXEC' ) ) die( 'Direct Access to '.basename(__FILE__).' is not allowed.' );

add this:

header('Location: http://joomla.org/');
exit;

You can delete the rest of the contents of the file.  What this does is redirect the page to address you specify before the form even gets generated. We decided to send spammers trying to use shop.recommend right to our custom Error 404 page.

I suppose you could delete the file entirely, but this seemed like a more graceful method than letting the server throw a file name request error.

Thanks for the heads up on this issue!

~ Deb Cinkus
Polished Geek, LLC
www.PolishedGeek.com
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: randomperson on September 24, 2010, 03:41:20 AM
people, you should really remove this "feature" from virtuemart all together! a lot of people doesn't even know what kind of danger it brings to their stores
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: t.vdmeulen on October 04, 2010, 13:14:24 PM
Hi,

This seems to be a high vulnerability! I found that this weekend my joomla site with VM (V1.1.0) was used by a spammer to send email through the shop.recommend script. It did a POST request with some values to send email constantly.

A solution could be CAPTCHA (going to try this for myself) When i have a fix i will post it here.
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: bgdaddy55 on October 14, 2010, 16:11:34 PM
Hello,
Thanks for the quick tutorial on this.  I was contacted by my server admin for sending tons of SPAM.  After further review, they were using this part of VM to SPAM others.  I followed the instructions above and it is now solved. 
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: maslan on January 12, 2011, 08:11:47 AM
Hi all,

I have made some modifications and now it is with captcha. You may download updated shop.recommend.php from freecodestore.com (http://freecodestore.com)

Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: cmrogm on January 20, 2011, 23:01:46 PM
Hi Maslan - This question is specifically for you.
Our website is getting tons of spam submitted through our VM forms for each of our equipment listings.  Can you please tell me how you created the captcha form?  I need a solution fast, as this is driving us crazy?

Thanks,
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: maslan on January 20, 2011, 23:06:03 PM
Hi cmrogm,

I used javascript to create captcha.

Which forms are being used? I will try to help, if there is something I can do.

Best regards,

Mustafa
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: jenkinhill on January 20, 2011, 23:34:33 PM
Quote from: cmrogm on January 20, 2011, 23:01:46 PMI need a solution fast, as this is driving us crazy?

Download Walter Cedric's SecurityImages 5.1.2 from http://waltercedric.com/joomla-mainmenu-247/304-securityimages.html

You will also need his Joomla and VirtueMart patches. See http://wiki.waltercedric.com/index.php?title=SecurityImages5.0.X for full instructions.
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: AH on January 21, 2011, 09:08:08 AM
maslan, they just turn off java and go throught backend
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: maslan on January 21, 2011, 15:19:30 PM
Hi Hutson,

Validation is done by javascript but the real page is hidden till it is being validated. And this hide/show is done by PHP, not javascript (the code producing recommendation form is not processed if validation fails).

I tried the page by turning the java off and nothing comes on. Please see the picture below.

You may try at http://celiskiler.com/index2.php?page=shop.recommend&product_id=5&pop=1&tmpl=component&option=com_virtuemart1&Itemid=54 (http://celiskiler.com/index2.php?page=shop.recommend&product_id=5&pop=1&tmpl=component&option=com_virtuemart1&Itemid=54) by turning the javascript off. You won't even see recommendation form.

Best regards,

Mustafa
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: Burnman on September 01, 2011, 17:30:26 PM
I know this topic is old but I just only now found this exploit issue in our installment of virtuemart and it was killing us.
It seems that the "recommended a product to a friend" was a huge exploit and it allowed a hacker to do something that caused us to constantly send emails out that bounced back, and I'm talking thousands per day. Only when we transferred our hosting to another company that they helped us in tracking the IP associated to the perv and have temporarily stopped them.

That's why I'm here, looking for a solution. I'll use the fix posted on this thread, but I just wanted to make this exploit known and it should be fixed or removed.
I didn't do past updates cause we have made some modifications to the product and due to our developer not being with us any more, there was no way to do this without reverting and loosing all our mods.

Fortunately the company I help developed are creating our own in house site and tools that will replace anything Joomla. We found that when you have to many modules or components that could be exploited, there are to many variables to keep track, especially if these products aren't kept up to date security wise.

I do thank you however on making this issue known and having a fix for this. I'm not sure if this fix was added to latest update, if it hasn't, it should.

Cheers!

Bernard
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: PRO on September 01, 2011, 18:28:13 PM
I know a site that got hacked via the shop.reccomend

This will disable it totally.
Replace the whole file with this, and they automatically get sent to homepage
administrator/components/com_virtuemart/html/shop.reccoment.php

<?php
if( !defined( '_VALID_MOS' ) && !defined( '_JEXEC' ) ) die( 'Direct Access to '.basename(__FILE__).' is not allowed.' );header('Location: http://wwwYOURSITE.COM/');
exit;
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: davidla on November 04, 2011, 22:00:58 PM
you can if you have a good smtp server cad services (http://optis.vn/cad-services.html)vietnam cad (http://vietnamcad.com)cae services (http://caeservices.net)
Title: Re: Vulnerability report: It's possible to use recommend form to send SPAM e-mails
Post by: charles99 on November 04, 2011, 23:21:45 PM
Has this been fixed?   I am just reading about this problem...