Vulnerability report: It's possible to use recommend form to send SPAM e-mails

[Misko]

I was watching my log files today and I found this:
index.php?page=shop.recommend&product_id=5&pop=1&tmpl=component&option=com_virtuemart&Itemid=4&vmcchk=1&Itemid=4

if you open this link you will get a from with all fields emtpy and ready to use
from:
to:
subject:
body:

If you fill them and click' submit, you can send a message to any e-mail address you want. I think this is a big security issue. It means that my site can be used as spam gateway without big effort.
I've searched a config option to turn off this feature but I couldn't find it.

[jenkinhill]

Since this could be abused there is certainly a switch in VirtueMart. In VM Admin Configuration/Site/Display/Show the "Recommend to a friend" link?

[Misko]

In this way you can hide the link on the page but if you use a link I posted (which I found in my log files, not as referr but as direct) attacker could exploit this weaknes.

I'm afraid that spamers now use google to find all sites with VM installed.

[PolishedGeek]

We tested this out upon reading this, and found that yes, even without the Recommend to a Friend enabled, spammers could still generate that page by using a page=shop.recommend string.

Here's how we patched the vulnerability on our sites:

Edit <Joomla
root>/administrator/components/com_virtuemart/html/shop.recommend.php

Right under

if( !defined( '_VALID_MOS' ) && !defined( '_JEXEC' ) ) die( 'Direct Access to '.basename(__FILE__).' is not allowed.' );

add this:

header('Location: http://joomla.org/');
exit;

You can delete the rest of the contents of the file.  What this does is redirect the page to address you specify before the form even gets generated. We decided to send spammers trying to use shop.recommend right to our custom Error 404 page.

I suppose you could delete the file entirely, but this seemed like a more graceful method than letting the server throw a file name request error.

Thanks for the heads up on this issue!

~ Deb Cinkus
Polished Geek, LLC
www.PolishedGeek.com

[randomperson]

people, you should really remove this "feature" from virtuemart all together! a lot of people doesn't even know what kind of danger it brings to their stores

[t.vdmeulen]

Hi,

This seems to be a high vulnerability! I found that this weekend my joomla site with VM (V1.1.0) was used by a spammer to send email through the shop.recommend script. It did a POST request with some values to send email constantly.

A solution could be CAPTCHA (going to try this for myself) When i have a fix i will post it here.

[bgdaddy55]

Hello,
Thanks for the quick tutorial on this.  I was contacted by my server admin for sending tons of SPAM.  After further review, they were using this part of VM to SPAM others.  I followed the instructions above and it is now solved. 

[maslan]

Hi all,

I have made some modifications and now it is with captcha. You may download updated shop.recommend.php from freecodestore.com

[cmrogm]

Hi Maslan - This question is specifically for you.
Our website is getting tons of spam submitted through our VM forms for each of our equipment listings.  Can you please tell me how you created the captcha form?  I need a solution fast, as this is driving us crazy?

Thanks,

[maslan]

Hi cmrogm,

I used javascript to create captcha.

Which forms are being used? I will try to help, if there is something I can do.

Best regards,

Mustafa

[jenkinhill]

I need a solution fast, as this is driving us crazy?

Download Walter Cedric's SecurityImages 5.1.2 from http://waltercedric.com/joomla-mainmenu-247/304-securityimages.html

You will also need his Joomla and VirtueMart patches. See http://wiki.waltercedric.com/index.php?title=SecurityImages5.0.X for full instructions.

[AH]

maslan, they just turn off java and go throught backend

[maslan]

Hi Hutson,

Validation is done by javascript but the real page is hidden till it is being validated. And this hide/show is done by PHP, not javascript (the code producing recommendation form is not processed if validation fails).

I tried the page by turning the java off and nothing comes on. Please see the picture below.

You may try at http://celiskiler.com/index2.php?page=shop.recommend&product_id=5&pop=1&tmpl=component&option=com_virtuemart1&Itemid=54 by turning the javascript off. You won't even see recommendation form.

Best regards,

Mustafa

[Burnman]

I know this topic is old but I just only now found this exploit issue in our installment of virtuemart and it was killing us.
It seems that the "recommended a product to a friend" was a huge exploit and it allowed a hacker to do something that caused us to constantly send emails out that bounced back, and I'm talking thousands per day. Only when we transferred our hosting to another company that they helped us in tracking the IP associated to the perv and have temporarily stopped them.

That's why I'm here, looking for a solution. I'll use the fix posted on this thread, but I just wanted to make this exploit known and it should be fixed or removed.
I didn't do past updates cause we have made some modifications to the product and due to our developer not being with us any more, there was no way to do this without reverting and loosing all our mods.

Fortunately the company I help developed are creating our own in house site and tools that will replace anything Joomla. We found that when you have to many modules or components that could be exploited, there are to many variables to keep track, especially if these products aren't kept up to date security wise.

I do thank you however on making this issue known and having a fix for this. I'm not sure if this fix was added to latest update, if it hasn't, it should.

Cheers!

Bernard

[PRO]

I know a site that got hacked via the shop.reccomend

This will disable it totally.
Replace the whole file with this, and they automatically get sent to homepage
administrator/components/com_virtuemart/html/shop.reccoment.php

<?php
if( !defined( '_VALID_MOS' ) && !defined( '_JEXEC' ) ) die( 'Direct Access to '.basename(__FILE__).' is not allowed.' );header('Location: http://wwwyoursite.com/');
exit;