Security breach / hijack of Universal Email template

5/14/2013 7:17 amSteve

Check the attachment... It shows a sequence where a hacker found out the code level processing in Universal Email and was able to push their own form values in a manner that populated the email.

The attachment shows the time stamps also which document #1 form found and populated via our top level form. #2 they find that they can submit their own form values. #3 a fully sent form using their own form post values.

I've never understood what these hackers gained by populating a form with spam values. I could understand gaining access to an SMTP server to push spam so this latest means of manipulating the Universal Email template page brings concern.

Anyone else see this type of activity and have a simple solution to stop unauthorized access?

I'll be adding a honeypot field to this form though not sure this will help since it seems the hacker is bypassing our public served form all together.

Email me with all replies to this thread

Title:

Public Message: (viewable by anyone reading this thread)
(do not cut and paste code into this field unless necessary, attach copies of your pages so they can be opened in Dreamweaver for debugging)

Type in the characters exactly as displayed below - if you don't complete the Captcha correctly you will get a blank page, so you may want to copy the text of your message before you submit!

Quote message in reply?

Private Message: (viewable only by you, the person you are replying to, and WebAssist employees)
(only put truly private information in this area such as ftp details and phone numbers. Keep as much of your post public as possible)

These attachments are private (viewable only by you, the person you are replying to, and WebAssist employees)

Manage Attachments

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

Security breach / hijack of Universal Email template

5/14/2013 7:17 amSteve