Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    • Archives

    • Recent comments

    Archive for January 26th, 2009

    ExpressionEngine contact form (email module) spam vulnerability

    26th January 2009

    Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

    It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

    And here’s why:

    • recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
    • there’s also XID field, which seems to be unique for each page load

    Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

    This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

    Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

    I’ve notified the developers.

    Share

    Posted in CMS, PHP, Programming, Software, Web | 1 Comment »