Contact form attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • stringbender
    Master Sergeant

    • Dec 2007
    • 60

    Contact form attack

    Help, My website is www.eyeonyouinvestigations.net My contact form that I build with BV tools is being bombarded with useless jiberish. They come to my email as submissions from my contact form. Luckly my junk mail catches most of them. When I preview them they appear to be just a bunch of letters that make no sense and a couple things to click on which I would never do. I had a computer geek friend of mind look into it and this is what he told me. Someone is trying to give me a virus. I should ask you the name of the free script you use to build your forms. He said that the action.php shows this vulnerability http://www.securityfocus.com/bid/29725. He said that it's a quick fix by you applying a security patch. Does this make sense and could you please tell me what to do next. I would appreciate any help. if this message comes through twice I appologize. I sent it the first time and afterwards it said I wasn't logged on so I started over. Thanks in advance, Brad
  • davidundalicia
    General

    • Mar 2006
    • 6294

    #2
    Re: Contact form attack

    Brad, I followed your link and found this:

    SH-News 'action.php' Authentication Bypass Vulnerability

    Solution:
    Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: blablabla.com. (changed)

    You may want to have a look at navals free Advanced BlueVoda Form Processor, this should do away with all that spam......
    Have fun
    Regards..... David

    Step by Step Visual Tutorials for the complete beginner
    Newbies / Beginners Forum
    FREE Membership Login Scripts: - Meta Tags Analyzer
    My Social Networking Site - Free Contact Forms
    Finished your New website!! Now get it noticed Here:

    Comment

    • stringbender
      Master Sergeant

      • Dec 2007
      • 60

      #3
      Re: Contact form attack

      Thanks for the help David. I've spent the last 3 days on the ABVFP quest. I had no trouble getting it to the point where I'm ready to use it. the instructions went like clock work. My trouble is trying to understand how to use it to make a form on my website. I've tried to follow the instructions line by line but nothing seems to work. I messed up my contact page so bad that I had to delete it and start all over trying to use the simple form I used in the first place. My problem now is I can't publish that page. I just get URL not found. Could you please take a look at www.eyeonyouinvestigations.net and see if you can tell whats wrong. thanks in advance, Brad

      Comment

      • navaldesign
        General & Forum Moderator

        • Oct 2005
        • 12080

        #4
        Re: Contact form attack

        You have used the new version of BV, with the built in form processor. So, BV has automatically published your page as php instead of html. You form now is in: http://www.eyeonyouinvestigations.net/contact_us.php

        Now, regarding ABVFP: this is NOT a form builder, it is a form processor. You create your form in BlueVoda, as you have done till now, then you simply set the form "action" to point to ABVFP. This way, the info is not processed by the simple script that you have used, but it is processed by the ABVFP.

        With ABVFP you use a field name extension to show ABVFP how it should process your form fileds. This way, you can, in example, tell ABVFP that the firld "Name" (as example) should NOT contain any "http://" or "www." or "@" . This way, ABVFP will refuse to process (meaning it will refuse to send mail) if the field Name contains any of the above.

        Further more, ABVFP will detect and deny to process any form submission that will contain attempts to inject the mail headers. This is a method spamers use to send spam email through your own form script, and ABVFP will avoid this.

        And the security patch and report you have posted above has nothing to do with the "action.php" used for form processing. It is just a case of scripts having the same name. Sooner or later, all software developers name some of their scripts "action.php". These can be completely different scripts, as in this case.
        Navaldesign
        Logger Lite: Low Cost, Customizable, multifeatured Login script
        Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
        DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
        Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

        Comment

        • stringbender
          Master Sergeant

          • Dec 2007
          • 60

          #5
          Re: Contact form attack

          Thanks for the help finding my form. I went in and changed the buttons to point to that site. I understand what you mean about ABVFP. I went in and set all my form boxes as they instructed. When I go to my contact page on my website and fill out the form and hit submit it goes to the DBT technosystems sign on page. They had me set the form action to http://www.eyeonyouinvestigations,ne...dbts_abvfp.php When I hit submit it goes to http://www.eyeonyouinvestigations.ne...VFP_admin1.php Any thoughts on whats wrong. Thanks, Brad

          Comment

          • navaldesign
            General & Forum Moderator

            • Oct 2005
            • 12080

            #6
            Re: Contact form attack

            What's your errorpage ? is it correctly set in he ABVFP control panel ?

            This is usually a problem with one of the error or thank you pages missing or typed wrong.
            Also, it seems that your the form URL in the ABVFP control panel is wrong
            Navaldesign
            Logger Lite: Low Cost, Customizable, multifeatured Login script
            Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
            DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
            Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

            Comment

            • stringbender
              Master Sergeant

              • Dec 2007
              • 60

              #7
              Re: Contact form attack

              Thanks for your input. you are an expert and I'm a layman. I don't have an error page but I do have a thank you page. It's the same one I used with my old form and it use to work fine. Could you please tell me what you mean by the form URL in the ABVFP control panel is wrong. I love blue Voda and I use to be confident that I understood what I was doing, but after imbarking on the ABVFP adventure I've totally lost all understanding of the system and would very much appreciate it if you would walk me through getting this corrected syep by step. I know you have better things to do with your time and I wouldn't be asking if I wasn't so totaly lost. If you need access to my control panel or any other phase of this I am glad to give it to you. Thanks so very much for your help. Brad

              Comment

              • navaldesign
                General & Forum Moderator

                • Oct 2005
                • 12080

                #8
                Re: Contact form attack

                Al form processors, including ABVFP, will accept submissions from ANY form, in ANY website. So, spammers take advantage of this: they create a form similar to yours, wich doesn't even need to be actually published in any website, and they submit to your scrip, thus using your script, account, and bandwidth t send thousands of spam mails. ABVFP checks the submission provenience, in order to protect you from spammers. In order to do this, it will check the form URL . If it is different from the one which is supposed to be, it will give an "Illegal Form Submission" submission.

                To be able to do that, it needs to know, from you, the correct URL. So when you setup a form with it, you need to type the full URL of the form page.

                You also need to type the two URLs, of the thank you page and the error age.
                Further more, the error page needs to be built according to the tutorial. Or, simply use the ones that come with the zip: open them in BV, change the visual parts to suit your site style, and publish them.

                So if the form URl is typed wrong (as i believe in your case) the script will try to display the error. If it can't find the errorpage, it displays what you actually see.

                If you wish send me your login details through my contact form, as well as your form page in BV format, and i will fix it for you.
                Navaldesign
                Logger Lite: Low Cost, Customizable, multifeatured Login script
                Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
                DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
                Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

                Comment

                • stringbender
                  Master Sergeant

                  • Dec 2007
                  • 60

                  #9
                  Re: Contact form attack

                  I just sent the info you requested to DBTech through there form page. I hope that was the right place to sent it. Thanks, Brad

                  Comment

                  • navaldesign
                    General & Forum Moderator

                    • Oct 2005
                    • 12080

                    #10
                    Re: Contact form attack

                    Hi Brad,

                    You had the following issues:
                    1. The form ID was 2, it should be 3 (at least that's what yyou have set as
                    contact form.
                    2. The email field should be Email-Re . You had Email-R so the script could
                    not understand which was the email field.
                    3. The text area was unnamed, i renamed it to "Comments"
                    4. In the ABVFP control panel, you had, as form URL,
                    http://www.eyeonyouinvestigations.net/contact_us.html instead of the correct
                    http://www.eyeonyouinvestigations.net/contact_us.php
                    5. In the ABVFP control panel, you had the thankyou page as
                    http://www.eyeonyouinvestigations.net/action.html instead of the correct
                    http://www.eyeonyouinvestigations.net/action.php
                    6. In the thank you page itself, you still had the old php script. I deleted
                    it from the page.
                    Please note that you still DON'T have an error page. So, as long as the
                    visitors submit correct information, you will receive the mail, but as soon
                    as there is a mistake, the result will be a 404 Page not Found or it will
                    redirect to the ABVFP login page. You need to create the error page
                    according to the tutorial, and also set the error page URL in the ABVFP
                    control panel.

                    Bye

                    George

                    PS. Can't contact you: my mails get returned with a "Bad Destination Address" message
                    Navaldesign
                    Logger Lite: Low Cost, Customizable, multifeatured Login script
                    Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
                    DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
                    Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

                    Comment

                    Working...
                    X