CODEWITHSUNDEEP
webformsspam
MB34
MB34

Reputation: 4424

Contact Form spam

I have a contact form on my site. I have a dropdown with the "allowed" subjects. However, I've been getting emails sent from the form with subjects that are not in my dropdown form.

The form is an ExpressionEngine template and it submits to itself with an added url segment .i.e '/contact/submit'. The template checks for the submit segment and then sends the values to an EE plugin that builds the email and sends it. The form's method is a POST.

How could they be circumventing the subject dropdown?

Upvotes: 1

Views: 288

Answers (4)

alxkls
alxkls

Reputation: 151

Well anything which is visible to the browser can be compromised in one way or another. The fact that you see a dropdown and it may visually appear to be secure, it isn't. And it is 10 times worse if you don't have a security mechanism as a captcha or something along those lines-in that case anyone could write a script pointing to the action of yuor form. Otherwise people could stick to the "teen" method as I reffer to it. Firefox has an extension called firebug which allowes you to modify the html and in your particular case-the drop down menu. Chrome has that integrated by default(hit f12). Your best option is to rework your security mechanism.

Upvotes: 1

Chris Forrence
Chris Forrence

Reputation: 10094

What's probably going on is that they're injecting their own subject. If your dropdown values are strings and you're just using them as is, it's pretty easy to use your own subject.

As a fix, you could tie a numerical ID to each dropdown value, then on the backend, do a switch between the possible values. For example (in PHP)

<?php
$reject = false;
if(isset($_POST['subject']))
{
    switch(intval($_POST['subject']))
    {
        case 1: // General inquiry:
           $subjectStr = "General Inquiry";
           break;
        ...
        default: 
           $reject = true;
           break;
    }
}
else
{
    $reject = true;
}
if(!$reject)
{
    // Process email
}
?>

Upvotes: 2

Joshua Whitley
Joshua Whitley

Reputation: 1186

Yes. This would be very simple to do and create a bot around. Something similar to Captcha or MintEye is the current best practice to avoid bot-based spamming.

Upvotes: 1

Joshua Nozzi
Joshua Nozzi

Reputation: 61228

You (or a browser or a spam script/app) can "POST" pretty much anything to a server. It's up to the web application to decide what is valid and take action (or ignore the request) based on the input. I would suggest you consider rewriting your EE templates to be a bit more robust (ie, validate input before taking action).

Upvotes: 1

Related Questions