News:

You may pay someone to create your store, or you visit our seminar and become a professional yourself with the silver certification

Main Menu

Security Issue? Email recommendation

Started by isabeaux, September 18, 2016, 22:50:45 PM

Previous topic - Next topic

isabeaux

I just noticed in my spam folder that on August 19 my server sent out a recommendation of probably every product in my shop to sample@email.tst

My first impression was that I had triggered something in the back end, mea culpa, but now I realize that someone was trying a hack. I found out by seeing the bounced emails since sample@email.tst doesn't resolve.
Looking through all of these bounced emails I see that in the recommended text there was a "1" for all of them. These emails were within a second of each other so they were not manually sent.
This is disconcerting to me for a couple of reasons: I don't allow users who are not signed in to send recommendations, yet the system is allowing it. Also I had set the minimum characters to 50 but they clearly skirted that.  I have disabled it for the time being, but I'm not sure that it will do much. 

These were my settings on the shop configuration:

QuoteRecommend a product, ask questions

Show the Recommend to a friend link   [checked]
Allow non logged-in to send a recommendation or ask a question   [unchecked]
Use ReCaptcha for recommendations and 'Ask a question'   [unchecked]
Allows to Ask a question   [unchecked]
Question minimum length   50
Question maximum length   2000

I have now unchecked the "show the recommend" and checked the captcha option. For some reason the captcha was not showing on the popup, but it was preventing the message to go through, essentially not allowing the recommendation. I don't know why that was happening, could be a template error (using Clarion + Gantry 4 from RocketTheme.com), either way the vulnerability is too much to leave that open.

Is this a security issue or did I configure something wrong?   :-\

Using Joomla 3.6.2
VirtueMart 3.0.17

jjk

Sounds to me like a spambot issue. Check your access log on the server. Usually you can download it using an ftp connection. Just pick some exact times from the emails and try to locate them in the access log. Every line in the access log begins with an ip number. If all suspicious 'recommend' posts are coming from the same ip (check whois to find out who owns it), you can disallow that ip in your .htaccess file.

I don't know if there is an extension which specifically takes care of 'recommend to a friend' spambots. Extensions like ECC+ or SpamboCheck might help.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

Milbo

Quote from: isabeaux on September 18, 2016, 22:50:45 PM
My first impression was that I had triggered something in the back end, mea culpa, but now I realize that someone was trying a hack. I found out by seeing the bounced
This is disconcerting to me for a couple of reasons: I don't allow users who are not signed in to send recommendations, yet the system is allowing it.
I think I fixed that, please check with the vm3.0.18

Quote from: isabeaux on September 18, 2016, 22:50:45 PM
Also I had set the minimum characters to 50 but they clearly skirted that.
I think it is or was checked only by js.

Quote from: isabeaux on September 18, 2016, 22:50:45 PM
QuoteRecommend a product, ask questions

Show the Recommend to a friend link   [checked]
Allow non logged-in to send a recommendation or ask a question   [unchecked]
Use ReCaptcha for recommendations and 'Ask a question'   [unchecked]
Allows to Ask a question   [unchecked]
Question minimum length   50
Question maximum length   2000

I think to enable captcha is the right answer.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

isabeaux

Thank you, yes, captcha is always safe to have.

I went through the logs and didn't find anything. It's like looking for a needle in a haystack even when I know the time. The thing is that I only found out because they were bounced emails, and I happened to check the spam folder. This was a month ago, and I wonder if they exploited that since. I don' t have a record of server sent mails.

Thank you again,
Tomás

Daxiiy7

yeah, probable an automatic bot that crawls the internet exploiting these vulnerabilities.. good that you caught it, but I wouldn't be extremely concerned, it's probably not deliberate on you.