close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security Question Issue

Thread began 9/04/2014 9:05 pm by operations439446 | Last modified 9/05/2014 3:11 pm by Jason Byrnes | 1120 views | 13 replies |

operations439446

Security Question Issue

Greetings, I have a site with forms on all pages. To keep it simple the client prefers the question as opposed to the number/letter thing. For the past 3 days the sites forms are being hammered by spam, right past the question security? The content of the spam is clearly bot posts for newsgroups, blogs, etc. and found a way in. The site is californiaequityinvestments.com
I am wondering if you are aware of this type of breach and perhaps have a solution. They are getting 20+ per hour. Thoughts? Here is a sample of the message content: (I have been blocking IPs via htaccess as I id them but they are using lots of different ones so this is not working)
> ----- Forwarded Message -----
> From: "quickinquiry@californiaequityinvestments.com"
> <quickinquiry@californiaequityinvestments.com>
> To: newplot1@yahoo.com
> Sent: Wednesday, September 3, 2014 11:36 AM
> Subject: QUICK INQUIRY FROM HOME PAGE
>
>
>
> Blank Template
> QUICK INQUIRY...HOME PAGE...
> A message from your home page quick inquiry
> Form Submitted:9-3-2014 | 2:36 PM EDT
> homePage submit:
> First Name:chaussure 2014 pour femme
> Email Address:wrdllkmo@gmail.com
> Last Name:http://yds.com.tw/program/imgs/ugg/20140831211127.asp
> Phone Number:chaussure 2014 pour femme
> Property Zip Code:chaussure 2014 pour femme
> Loan To Value Ratio:chaussure 2014 pour femme
> Loan Amount Needed:chaussure 2014 pour femme
> Verification:chaussure 2014 pour femme
> Comments:http://xagadoll.com/upload_files/image/sunglasses/20140831123804.asplunette de soleil
> chloe
> chaussure 2014 pour femme
> http://yds.com.tw/program/imgs/ugg/20140831211127.asp
> Additional Notes:Entire content of this transmission is the
> exclusive property of California Equity Investments. All rights
> reserved.

Sign in to reply to this post

Jason ByrnesWebAssist

Make sure that the Validation behavior and the email behavior are both using the same trigger.

Sign in to reply to this post

operations439446

Originally Said By: Jason Byrnes
  Make sure that the Validation behavior and the email behavior are both using the same trigger.  


see private message

Sign in to reply to this post

Jason ByrnesWebAssist

See pm

Sign in to reply to this post

operations439446

Originally Said By: Jason Byrnes
  See pm  


pm

Sign in to reply to this post

Jason ByrnesWebAssist

the code for the triggers is slightly different:

at line 26, the trigger for validation is:
if (isset($_POST["homePage_submit_x"])) {

at line 50 the trigger for the email is:

if ((isset($_POST["homePage_submit"]) || isset($_POST["homePage_submit_x"]))) {


What this means is:
Validation will trigger on an image element type named homePage_submit.

The email will trigger on a submit button OR image element type named homePage_submit.

a hacker could bypass validation by creating a local copy of your form set to submit to your server that uses a submit button, it would bypass the validation but still trigger the email.

i updated both triggers so that the use the same code, this should prevent the problem.

Most likely, you have an older version of Data Bridge that was used to create the form.

Sign in to reply to this post

operations439446

Hi Jason,
Yep that was built a few versions ago. I am current now. Thank you so much.
You guys rock!

Sign in to reply to this post

Jason ByrnesWebAssist

you're welcome.

Sign in to reply to this post

operations439446

pm

Sign in to reply to this post

Jason ByrnesWebAssist

I edited only the home page, that was the only link you provided.

What i did was look at the code for the triggers:


  at line 26, the trigger for validation is:
if (isset($_POST["homePage_submit_x"])) {

at line 50 the trigger for the email is:

if ((isset($_POST["homePage_submit"]) || isset($_POST["homePage_submit_x"]))) {  



I Edited the code at line 26 to use the same code as line 500, so that both lines where the same:
if ((isset($_POST["homePage_submit"]) || isset($_POST["homePage_submit_x"]))) {

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...