Security issue version 1.6.1.24

[Zeryk]

I'm getting spam emails via Contact Us page ( Webmaster / Customer service ) which I have deleted long time ago , so the URL doesn't exist at all. Before that , when using it , I had a captcha module implemented there.

How come somebody can send the email trough the page which physically doesn't exist? Do they have some direct access to my DB in shop?

How do I find that spam?

Shouldn't that be flagged as the Security Issue ?

Thanks.

 

[Shabab]

1 hour ago, Zeryk said:

I'm getting spam emails via Contact Us page ( Webmaster / Customer service ) which I have deleted long time ago , so the URL doesn't exist at all. Before that , when using it , I had a captcha module implemented there.

How come somebody can send the email trough the page which physically doesn't exist? Do they have some direct access to my DB in shop?

How do I find that spam?

Shouldn't that be flagged as the Security Issue ?

Thanks.

 

Hi,

Can you please check the patterns of spam mails?

[SmartDataSoft]

Hello, @Zeryk

Normally when you remove the page from your site listing but the controller already exits as it is open source software hacker or spammer know which url they need to post.

I think they hit the contact controller and then post it. If possible you can share your site url in PM we will give a try with url from our localhost.

 

Thank you

[Zeryk]

On 8/9/2021 at 1:14 PM, Shabab said:

Hi,

Can you please check the patterns of spam mails?

I've deleted them but they all come from Russia I guess. I've seen that topic already some other place.

I've sorted the problem.

Thanks.

[Zeryk]

On 8/10/2021 at 12:20 PM, SmartDataSoft said:

Hello, @Zeryk

Normally when you remove the page from your site listing but the controller already exits as it is open source software hacker or spammer know which url they need to post.

I think they hit the contact controller and then post it. If possible you can share your site url in PM we will give a try with url from our localhost.

 

Thank you

Yep, I've realized that after posting the question , so I deleted the controller as well.

Thanks

[endriu107]

There is easy fix for ContactController just check if $message contains word as 'www' or 'http' by strpos() function, if does just return without action.

[Zeryk]

On 8/16/2021 at 7:35 PM, endriu107 said:

There is easy fix for ContactController just check if $message contains word as 'www' or 'http' by strpos() function, if does just return without action.

Yep, removing controller altogether wasn't smart move. Messing up with other stuff in BO ;-(

So I put it back.

There is no 'www' in the script at all anywhere. there is only 1 http , but it's in $cm->user agent = $_SERVER ( 'HTTP_USER_AGENT');

so probably not the case.

but thanks for trying to help

[Zeryk]

I don't want to use the customer service page , so neither the internal messenger of PS.  Yet, I can not completely delete the controller  because SEO & URL page ( url there ) can not be edited after ( getting blank page ).

So I guess I need to edit the ContactCotroller.php

Anybody can advise which lines in this script ( file ) I should exclude to avoid any messaging?

Thank you!

[endriu107]

In function postProcess()

below $message = Tools::getValue('message');

add:

if (strpos($message, 'www') !== false) {

     return;

}

if (strpos($message, 'http') !== false) {

    return;

}

[Zeryk]

14 minutes ago, endriu107 said:

In function postProcess()

below $message = Tools::getValue('message');

add:

if (strpos($message, 'www') !== false) {

     return;

}

if (strpos($message, 'http') !== false) {

    return;

}

thanks!

I've applied that one. Will see within next couple of days if it works.

Thanks again!

[endriu107]

Now any message with words www or http will be blocked.

[Zeryk]

On 8/20/2021 at 12:23 PM, endriu107 said:

Now any message with words www or http will be blocked.

just a question , if I may. How do I stop any emails coming via customer service ( ContactCotroller.php ) ?

Because I'm starting to receive spams again, this time without www or http , but just plain text with some various marketing offerings which I'm not interested.

I don't use the customer service concept for emailing , so I don't need it at all. Means I don't mind to delete some file , module what needs to be done for that. Just if I delete ContactCotroller.php , some important functions don't work in back office, so might need to delete only some lines?

 

Thanks a lot!

[endriu107]

At the very begining of postProcess() function you can just add return;

[Zeryk]

11 hours ago, endriu107 said:

At the very begining of postProcess() function you can just add return;

Thank You!