5 posts by 2 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: July 4, 2018   (RSS)

By gversion - June 29, 2018

Hello,

I have noticed that someone or something has been trying to submit programming commands into my newsletter subscription form.

For example from my developer log I can see that $_POST =

Array
(
[jform] => Array
(
[name] => adminins
[username] => euadmin
[password1] => 102030
[password2] => 102030
[email1] => ad.m-inis-trator@hotmail.com
[email2] => ad.m-inis-trator@hotmail.com
)

[option] => com_users
[task] => registration.register
[submitForm] => 1
)

and $_REQUEST =

Array
(
[jform] => Array
(
[name] => adminins
[username] => euadmin
[password1] => 102030
[password2] => 102030
[email1] => ad.m-inis-trator@hotmail.com
[email2] => ad.m-inis-trator@hotmail.com
)

[option] => com_users
[task] => registration.register
[submitForm] => 1
[joomla] => pages-ii
[user] => registration.html
[n] =>
[a] =>
[e] =>
)

I am using HTML5 validation on the email subscription form and also the inbuilt PHP/SQL validation so hopefully this will be OK.

However, if someone inputs a non existent page on my homepage such as:

/index.php/joomla-pages-ii/user-registration.html?task=registration.register

... which is what is reported in my developer log then currently the homepage just loads as normal.

Is it possible using the permalinks plugin to somehow forward these URLs to the 404 page?

Thank you,

Greg

By gregThomas - July 2, 2018 - edited: July 2, 2018

Hey Greg,

Are you these entries from the same IP address (the IP address is listed in the CMSB error log entries)? It might be worth adding a rule to your htaccess to block them if they are:

Order Deny,Allow
Deny from 192.168.1.1

If you're not using the jform POST/GET variable at all, you could also block these requests by adding the following to your newsletter subscription form:

if( isset($_REQUEST['jform']) ) { dieWith404("Permission denied"); } 

Thanks,

Greg

Greg Thomas
PHP Programmer - interactivetools.com

By gversion - July 4, 2018

Hi Greg,

Thanks for the help. It seems all the entries were coming from the same IP (89.161.135.94) and from a bit of Googling I can see that this IP has been listed on spam databases. I have added the following as you suggested so hopefully that will take care of things for the time being:

Order Deny,Allow

Deny from 89.161.135.94


What is the jform POST/GET variable?

Currently my subscription form code is as follows:

<form id="subscribeform" method="post" action="/thankyou-subscription.php" class="form-inline">
<div class="input-group">
<?php if (@$authUserNum): ?>
<?php echo htmlencode($authUserEmail); ?>
<?php else: ?>
<input type="email" id="e" name="e" class="form-control" placeholder="Email address" value="<?php echo htmlencode(@$_REQUEST['e']) ?>" required />
<?php endif ?>
<input type="hidden" name="submitForm" value="1" />
<input type="hidden" name="n" value="<?php echo htmlencode(@$_REQUEST['n']); ?>" /><?php // subscriber num ?>
<input type="hidden" name="a" value="<?php echo htmlencode(@$_REQUEST['a']); ?>" /><?php // subscriber authkey ?>
<input type="hidden" name="m" value="<?php echo htmlencode(@$_REQUEST['m']); ?>" /><?php // message num ?>
<input type="hidden" name="lists[]" value="<?php echo htmlencode($lists[0]['num']); ?>" <?php echo @$checkedAttr; ?> />
<span class="input-group-btn">
<button class="btn btn-success" id="subscribe" name="subscribe" type="submit" value="Update Subscriptions"><strong>Subscribe</strong></button>
</span>
</div>
</form>

If I am not using the jform POST/GET variable then could I just insert your suggested "if" statement above line 3? So it would be as follows:

<form id="subscribeform" method="post" action="/thankyou-subscription.php" class="form-inline">
<div class="input-group">
<?php if( isset($_REQUEST['jform']) ) { dieWith404("Permission denied"); } ?>
<?php if (@$authUserNum): ?>
<?php echo htmlencode($authUserEmail); ?>
....

Thank you for your help.

Regards,

Greg

By gregThomas - July 4, 2018

Hey Greg,

The jForm variable ($_REQUEST['jform']) is something that the scripter is sending in his requests. My guess is it's used by one of the major CMS's (Joomla, Wordpress, etc) login forms or popular plugins, and he's trying to use a known exploit to gain access to the server or send spam email.

Looking at your code, you're fine to add the die statement to line 3 of the form as you don't use a variable called jform in your form. I'd also recommend adding that line to the top of thankyou-subscription.php, as this is where the data from that form is actually submitted and processed.

Cheers,

Greg

Greg Thomas
PHP Programmer - interactivetools.com

By gversion - July 4, 2018

Hi Greg,

Thanks for the insight into this. I have added the if statement to the 2 pages so I should be all set now.

Thanks so much again for your support.

Regards,

Greg