I just noticed in my spam folder that on August 19 my server sent out a recommendation of probably every product in my shop to sample@email.tst
My first impression was that I had triggered something in the back end, mea culpa, but now I realize that someone was trying a hack. I found out by seeing the bounced emails since sample@email.tst doesn't resolve.
Looking through all of these bounced emails I see that in the recommended text there was a "1" for all of them. These emails were within a second of each other so they were not manually sent.
This is disconcerting to me for a couple of reasons: I don't allow users who are not signed in to send recommendations, yet the system is allowing it. Also I had set the minimum characters to 50 but they clearly skirted that. I have disabled it for the time being, but I'm not sure that it will do much.
These were my settings on the shop configuration:
QuoteRecommend a product, ask questions
Show the Recommend to a friend link [checked]
Allow non logged-in to send a recommendation or ask a question [unchecked]
Use ReCaptcha for recommendations and 'Ask a question' [unchecked]
Allows to Ask a question [unchecked]
Question minimum length 50
Question maximum length 2000
I have now unchecked the "show the recommend" and checked the captcha option. For some reason the captcha was not showing on the popup, but it was preventing the message to go through, essentially not allowing the recommendation. I don't know why that was happening, could be a template error (using Clarion + Gantry 4 from RocketTheme.com), either way the vulnerability is too much to leave that open.
Is this a security issue or did I configure something wrong? :-\
Using Joomla 3.6.2
VirtueMart 3.0.17
Sounds to me like a spambot issue. Check your access log on the server. Usually you can download it using an ftp connection. Just pick some exact times from the emails and try to locate them in the access log. Every line in the access log begins with an ip number. If all suspicious 'recommend' posts are coming from the same ip (check whois to find out who owns it), you can disallow that ip in your .htaccess file.
I don't know if there is an extension which specifically takes care of 'recommend to a friend' spambots. Extensions like ECC+ or SpamboCheck might help.
Quote from: isabeaux on September 18, 2016, 22:50:45 PM
My first impression was that I had triggered something in the back end, mea culpa, but now I realize that someone was trying a hack. I found out by seeing the bounced
This is disconcerting to me for a couple of reasons: I don't allow users who are not signed in to send recommendations, yet the system is allowing it.
I think I fixed that, please check with the vm3.0.18
Quote from: isabeaux on September 18, 2016, 22:50:45 PM
Also I had set the minimum characters to 50 but they clearly skirted that.
I think it is or was checked only by js.
Quote from: isabeaux on September 18, 2016, 22:50:45 PM
QuoteRecommend a product, ask questions
Show the Recommend to a friend link [checked]
Allow non logged-in to send a recommendation or ask a question [unchecked]
Use ReCaptcha for recommendations and 'Ask a question' [unchecked]
Allows to Ask a question [unchecked]
Question minimum length 50
Question maximum length 2000
I think to enable captcha is the right answer.
Thank you, yes, captcha is always safe to have.
I went through the logs and didn't find anything. It's like looking for a needle in a haystack even when I know the time. The thing is that I only found out because they were bounced emails, and I happened to check the spam folder. This was a month ago, and I wonder if they exploited that since. I don' t have a record of server sent mails.
Thank you again,
Tomás
yeah, probable an automatic bot that crawls the internet exploiting these vulnerabilities.. good that you caught it, but I wouldn't be extremely concerned, it's probably not deliberate on you.