Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    ExpressionEngine contact form (email module) spam vulnerability

    26th January 2009

    Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

    It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

    And here’s why:

    • recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
    • there’s also XID field, which seems to be unique for each page load

    Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

    This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

    Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

    I’ve notified the developers.

    Share

    One Response to “ExpressionEngine contact form (email module) spam vulnerability”

    1. The Anti Spam Hub Says:

      [...] ExpressionEngine contact form (email module) spam vulnerability … [...]

    Leave a Reply

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>