Re: Contact form attack

Brad, I followed your link and found this:

SH-News 'action.php' Authentication Bypass Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: blablabla.com. (changed)

You may want to have a look at navals free Advanced BlueVoda Form Processor, this should do away with all that spam......

Re: Contact form attack

Thanks for the help David. I've spent the last 3 days on the ABVFP quest. I had no trouble getting it to the point where I'm ready to use it. the instructions went like clock work. My trouble is trying to understand how to use it to make a form on my website. I've tried to follow the instructions line by line but nothing seems to work. I messed up my contact page so bad that I had to delete it and start all over trying to use the simple form I used in the first place. My problem now is I can't publish that page. I just get URL not found. Could you please take a look at www.eyeonyouinvestigations.net and see if you can tell whats wrong. thanks in advance, Brad

Re: Contact form attack

You have used the new version of BV, with the built in form processor. So, BV has automatically published your page as php instead of html. You form now is in: http://www.eyeonyouinvestigations.net/contact_us.php

Now, regarding ABVFP: this is NOT a form builder, it is a form processor. You create your form in BlueVoda, as you have done till now, then you simply set the form "action" to point to ABVFP. This way, the info is not processed by the simple script that you have used, but it is processed by the ABVFP.

With ABVFP you use a field name extension to show ABVFP how it should process your form fileds. This way, you can, in example, tell ABVFP that the firld "Name" (as example) should NOT contain any "http://" or "www." or "@" . This way, ABVFP will refuse to process (meaning it will refuse to send mail) if the field Name contains any of the above.

Further more, ABVFP will detect and deny to process any form submission that will contain attempts to inject the mail headers. This is a method spamers use to send spam email through your own form script, and ABVFP will avoid this.

And the security patch and report you have posted above has nothing to do with the "action.php" used for form processing. It is just a case of scripts having the same name. Sooner or later, all software developers name some of their scripts "action.php". These can be completely different scripts, as in this case.

Re: Contact form attack

Thanks for the help finding my form. I went in and changed the buttons to point to that site. I understand what you mean about ABVFP. I went in and set all my form boxes as they instructed. When I go to my contact page on my website and fill out the form and hit submit it goes to the DBT technosystems sign on page. They had me set the form action to http://www.eyeonyouinvestigations,ne...dbts_abvfp.php When I hit submit it goes to http://www.eyeonyouinvestigations.ne...VFP_admin1.php Any thoughts on whats wrong. Thanks, Brad

Re: Contact form attack

What's your errorpage ? is it correctly set in he ABVFP control panel ?

This is usually a problem with one of the error or thank you pages missing or typed wrong.
Also, it seems that your the form URL in the ABVFP control panel is wrong

Re: Contact form attack

Thanks for your input. you are an expert and I'm a layman. I don't have an error page but I do have a thank you page. It's the same one I used with my old form and it use to work fine. Could you please tell me what you mean by the form URL in the ABVFP control panel is wrong. I love blue Voda and I use to be confident that I understood what I was doing, but after imbarking on the ABVFP adventure I've totally lost all understanding of the system and would very much appreciate it if you would walk me through getting this corrected syep by step. I know you have better things to do with your time and I wouldn't be asking if I wasn't so totaly lost. If you need access to my control panel or any other phase of this I am glad to give it to you. Thanks so very much for your help. Brad

Re: Contact form attack

Al form processors, including ABVFP, will accept submissions from ANY form, in ANY website. So, spammers take advantage of this: they create a form similar to yours, wich doesn't even need to be actually published in any website, and they submit to your scrip, thus using your script, account, and bandwidth t send thousands of spam mails. ABVFP checks the submission provenience, in order to protect you from spammers. In order to do this, it will check the form URL . If it is different from the one which is supposed to be, it will give an "Illegal Form Submission" submission.

To be able to do that, it needs to know, from you, the correct URL. So when you setup a form with it, you need to type the full URL of the form page.

You also need to type the two URLs, of the thank you page and the error age.
Further more, the error page needs to be built according to the tutorial. Or, simply use the ones that come with the zip: open them in BV, change the visual parts to suit your site style, and publish them.

So if the form URl is typed wrong (as i believe in your case) the script will try to display the error. If it can't find the errorpage, it displays what you actually see.

If you wish send me your login details through my contact form, as well as your form page in BV format, and i will fix it for you.

Re: Contact form attack

I just sent the info you requested to DBTech through there form page. I hope that was the right place to sent it. Thanks, Brad

Re: Contact form attack

Hi Brad,

You had the following issues:
1. The form ID was 2, it should be 3 (at least that's what yyou have set as
contact form.
2. The email field should be Email-Re . You had Email-R so the script could
not understand which was the email field.
3. The text area was unnamed, i renamed it to "Comments"
4. In the ABVFP control panel, you had, as form URL,
http://www.eyeonyouinvestigations.net/contact_us.html instead of the correct
http://www.eyeonyouinvestigations.net/contact_us.php
5. In the ABVFP control panel, you had the thankyou page as
http://www.eyeonyouinvestigations.net/action.html instead of the correct
http://www.eyeonyouinvestigations.net/action.php
6. In the thank you page itself, you still had the old php script. I deleted
it from the page.
Please note that you still DON'T have an error page. So, as long as the
visitors submit correct information, you will receive the mail, but as soon
as there is a mistake, the result will be a 404 Page not Found or it will
redirect to the ABVFP login page. You need to create the error page
according to the tutorial, and also set the error page URL in the ABVFP
control panel.

Bye

George

PS. Can't contact you: my mails get returned with a "Bad Destination Address" message