BLIX Theme – Patch For Spam Vulnerability

  • I have been recieving a number of spam messages from my contact form. This form comes with the BLIX theme. The spam messaages all follow a distinct pattern, and include lots of links with the full a href HTML in them.

    I created the following code to filter for these messages, and to stop them from being sent. It’s still being tested in a live environment (so far no spam)

    It’s not incredibly robust, but should do the trick:

    $pos = strpos($bx_message, "<a href");
    if ($pos === false) {
    // it's not spam.
    $send = 1;
    } else {
    $error_msg.= "<p><strong>Your email will not be sent, as it is suspected to be spam. Remove all HTML tags and try again.</strong></p>n";
    $send = 0;
    }

    You should put it after this block in the original code:

    if (!is_valid_email($bx_email)) {
    $error_msg.= "<p><strong>Your email adress failed to validate.</strong></p>n";
    $send = 0;
    }

    I know it could be cleaner, made into a function, etc. etc. I wanted to throw it out to the community instead, as it is a quick fix for an annoying problem.

    Hope this helps someone else!

    -e

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Eric Marden

    (@xenlab)

    Not the <p>n above should have a backslash before them (it’s a new line char). the forum must strip them.

    This is a good start but don’t forget that the anchor tag can have a bunch of attributes, not just href:

    accesskey, charset, class, coords, dir, href, hreflang, id, lang, name, onblur, onclick, ondblclick, onfocus, onkeydown

    It’s not a good idea to assume that the “href” attribute will be the first one specified, so your code should really check for all of them. Perhaps something like this might be a little more robust:


    $send = 0;
    if (stripos($bx_message, "<a ") !== false && stripos($bx_message, " href=") !== false) {
    $error_msg .= "<strong>Your email will not be sent, as it is suspected to be spam. Remove all HTML tags and try again.</strong>
    ";
    } else {
    $send = 1; // it's not spam.
    }

    Note that I’m also proposing stripos() instead of strpos() for a case-insensitive match.

    Thread Starter Eric Marden

    (@xenlab)

    Thanks for the update. I’ll implement it today and see if it keeps going. I was basing my code off the pattern each one of the messages I’ve gotten followed. This is why I posted it here. As I figured we could all keep building off of it to make this contact form secure for what I expect to be a bunch of users that have used the Blix theme.

    deltaphi

    (@deltaphi)

    hm, my problem is, other people use my contact form to send spam to user people via cc. this is a enormous security leak in the blix contact form. anyone solved this problem already?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘BLIX Theme – Patch For Spam Vulnerability’ is closed to new replies.