ExpressionEngine contact form (email module) spam vulnerability
26th January 2009
Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.
It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.
And here’s why:
- recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
- there’s also XID field, which seems to be unique for each page load
Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)
This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.
Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.
I’ve notified the developers.
February 28th, 2009 at 1:51
[...] ExpressionEngine contact form (email module) spam vulnerability … [...]