It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

• recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
• there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

EE CMS consists of “modules”. Each module has some admin-side and/or visitor-side functionality, and adds some more template tags, available for templating.

I built a site using EE – http://j-school.kiev.ua/ (it’s in Ukrainian, but has several static pages in English). The site has a main blog, and approximately eight topical sub-blogs. Everything is driven by quite a limited number of custom templates – which are often just “include”-d with different parameters.

As a summary: EE is good for “unusual designs”, as it’s templating is both strong and flexible. However, as a programmer, I find EE “rough around the edges”, and not always consistent. It’s still being developed – for example, the “Pages” module, which allows to create pages with user-defined URLs/permalinks, was added to the core fairly recently; before that, it existed only as a third-party module, and was quite a pain to use.

Disclaimer: I’m in no way associated with EllisLab, except for being a hired programmer for a purchased EE version.