dotCMS hacked - We are under attack!

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

dotCMS hacked - We are under attack!

leonmatch@rogers.com
Our websites has been hacked!
Hackers use our Sign Up and Contact Us forms to send spam mails.
All our websites, which are made with dotCMS, are experiencing this problem. Spammers don't fill the forms on the website. They copy the forms somehow, fill them with spam, and POST them through our server, thus avoiding client side form validation (special characters in comments field, etc.)

The question - Is it possible in dotCMS, to add some server side validation of the content, which is sent via these forms?

We have the following code on the client side:
<form id="signup" name="signup" method="post" action="/dotCMS/sendEmail" />
I thought that I could add some validations to sendEmail, but I could not locate it on the server!?
Where is it?
Any solutions?
Help Please..!!

Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Brad Rice-3
Read the forms documents. You can validate form fields. You can use what
dotcms provides or you can roll your own validation.

On Fri, Mar 18, 2011 at 11:28 AM, [hidden email] <
[hidden email]> wrote:

>
>
> Our websites has been hacked!
> Hackers use our Sign Up and Contact Us forms to send spam mails.
> All our websites, which are made with dotCMS, are experiencing this
> problem. Spammers don't fill the forms on the website. They copy the forms
> somehow, fill them with spam, and POST them through our server, thus
> avoiding client side form validation (special characters in comments field,
> etc.)
>
> The question - Is it possible in dotCMS, to add some server side validation
> of the content, which is sent via these forms?
>
> We have the following code on the client side:
> <form id="signup" name="signup" method="post" action="/dotCMS/sendEmail" />
> I thought that I could add some validations to sendEmail, but I could not
> locate it on the server!?
> Where is it?
> Any solutions?
> Help Please..!!
>
>  
>



--
Brad Rice
[hidden email]
~
"Truth is the offspring of silence and unbroken meditation." - Sir Isaac
Newton
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Mark Pitely
Brad - that's not his problem.
They are submitting a form directly to the /sendEmail function, bypassing
any validation.
I suspect we are all subject to this sort of attack if  the sendEmail
process doesn't require the POST data to be coming from the server itself -
which I always assumed it did, but I guess that's what I deserve.
I could make my own 'form' on my server (or in a PHP process), following all
the dotCMS rules and just change the action field from /dotcms/sendEmail to
'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail through
however I like. See?
He's not hacked, he's just being used as an anonymous email relay.

Leon - have you tried setting a top-level redirect (Virtual Link?) for the
sendEmail to a dead place to at least stop this for now?

Leon - what version of dotCMS are you running?
Mark
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Maria Ahues Bouza-2
This was an issue in 1.7a but it's not an issue in Enterprise 1.7 or 1.9.



On Fri, Mar 18, 2011 at 8:44 AM, Mark Pitely <[hidden email]>wrote:

>
>
> Brad - that's not his problem.
> They are submitting a form directly to the /sendEmail function, bypassing
> any validation.
> I suspect we are all subject to this sort of attack if  the sendEmail
> process doesn't require the POST data to be coming from the server itself -
> which I always assumed it did, but I guess that's what I deserve.
> I could make my own 'form' on my server (or in a PHP process), following
> all the dotCMS rules and just change the action field from /dotcms/sendEmail
> to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> through however I like. See?
> He's not hacked, he's just being used as an anonymous email relay.
>
> Leon - have you tried setting a top-level redirect (Virtual Link?) for the
> sendEmail to a dead place to at least stop this for now?
>
> Leon - what version of dotCMS are you running?
> Mark
>
>
>  
>



--

dotCMS
Director of Enterprise Services & Support
Main: 305.858.1422
Direct: 786.594.5272
Fax: 305.397.2579
www.dotcms.com
http://www.twitter.com/dotCMS

"Packt Publishing 2009 Finalist for Best Other Open Source CMS"

Please consider the planet before printing this email.
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Mark Pitely
In reply to this post by Mark Pitely
Just poking around, but /sendEmail is defined in struts-cms.xml (in
/dotCMS/WEB-INF) I'm guessing you could kill it there if you need to.
You could also redirect it here to some other process (sendmail or something
similar that you can lock down) to do your validation - but I think that the
sendEmail does more than just send email - it also creates the reports/forms
in the backend.

I'm not 100% sure on this, but you likely could configure whatever mail
relay you are using on the dotCMS machine (postfix? Is this a linux box?) to
disallow sending to/from certain domains, if that would help. Most of our
'forms' only send mail to our local domain, so we could disallow sending
elsewhere.


Mark


>
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

leonmatch@rogers.com
In reply to this post by leonmatch@rogers.com
Yes, Mark is absolutely right!

As I mentioned, they are bypassing validations by submitting a form directly
to the /sendEmail function.

 

Where is this  /sendEmail function? May be I could add some validations
there. How can I locate it, please?

 

 We are running 1.7 community now

 

Thank you,

Leon

 

 

Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Mark Pitely
In reply to this post by leonmatch@rogers.com
Leon,
/src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java

is the code source, but I'm guessing you aren't a java developer otherwise
you wouldn't need me to tell you where it was!

If that is too complicated, my suggestion would be to not use 'sendEmail' as
your form action, rather, use some perl script or something like that to
process the email request and send it. You would lose the backend content
creation, but be safer.
There might be a way to intercept the output from (from within
SubmitWebFormAction)
webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate,
currentHost, currentUser);

that is, catch the call from dotCMS to your system mail, and validate there
(look for a private hidden field or something like that), which would
preserve the backend saving for your legitimate mails (but still leave you
prone to getting spam in the CMS even if you didn't redirect it).
Again, what OS are you running your dotCMS on and what is your actual system
mail process? Your mail administrator may be able to catch the incoming bad
mails at the relay.
Mark
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

leonmatch@rogers.com
In reply to this post by Maria Ahues Bouza-2
Maria,

Is this issue exists in Community 1.9?

Leon

--- In [hidden email], Maria Ahues Bouza <maria@...> wrote:

>
> This was an issue in 1.7a but it's not an issue in Enterprise 1.7 or 1.9.
>
>
>
> On Fri, Mar 18, 2011 at 8:44 AM, Mark Pitely <pitely@...>wrote:
>
> >
> >
> > Brad - that's not his problem.
> > They are submitting a form directly to the /sendEmail function, bypassing
> > any validation.
> > I suspect we are all subject to this sort of attack if  the sendEmail
> > process doesn't require the POST data to be coming from the server itself -
> > which I always assumed it did, but I guess that's what I deserve.
> > I could make my own 'form' on my server (or in a PHP process), following
> > all the dotCMS rules and just change the action field from /dotcms/sendEmail
> > to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> > through however I like. See?
> > He's not hacked, he's just being used as an anonymous email relay.
> >
> > Leon - have you tried setting a top-level redirect (Virtual Link?) for the
> > sendEmail to a dead place to at least stop this for now?
> >
> > Leon - what version of dotCMS are you running?
> > Mark
> >
> >
> >  
> >
>
>
>
> --
>
> dotCMS
> Director of Enterprise Services & Support
> Main: 305.858.1422
> Direct: 786.594.5272
> Fax: 305.397.2579
> www.dotcms.com
> http://www.twitter.com/dotCMS
>
> "Packt Publishing 2009 Finalist for Best Other Open Source CMS"
>
> Please consider the planet before printing this email.
>


Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Maria Ahues Bouza-2
Leon,

It doesn't in the new form builder which is completely different in 1.9.

But in 1.9 the new form builder is not available in the Community Edition,
it's only available in the Enterprise Edition.

Thanks
Maria

On Fri, Mar 18, 2011 at 12:57 PM, [hidden email] <
[hidden email]> wrote:

>
>
> Maria,
>
> Is this issue exists in Community 1.9?
>
> Leon
>
>
> --- In [hidden email], Maria Ahues Bouza <maria@...> wrote:
> >
> > This was an issue in 1.7a but it's not an issue in Enterprise 1.7 or 1.9.
> >
> >
> >
> > On Fri, Mar 18, 2011 at 8:44 AM, Mark Pitely <pitely@...>wrote:
>
> >
> > >
> > >
> > > Brad - that's not his problem.
> > > They are submitting a form directly to the /sendEmail function,
> bypassing
> > > any validation.
> > > I suspect we are all subject to this sort of attack if the sendEmail
> > > process doesn't require the POST data to be coming from the server
> itself -
> > > which I always assumed it did, but I guess that's what I deserve.
> > > I could make my own 'form' on my server (or in a PHP process),
> following
> > > all the dotCMS rules and just change the action field from
> /dotcms/sendEmail
> > > to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> > > through however I like. See?
> > > He's not hacked, he's just being used as an anonymous email relay.
> > >
> > > Leon - have you tried setting a top-level redirect (Virtual Link?) for
> the
> > > sendEmail to a dead place to at least stop this for now?
> > >
> > > Leon - what version of dotCMS are you running?
> > > Mark
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > dotCMS
> > Director of Enterprise Services & Support
> > Main: 305.858.1422
> > Direct: 786.594.5272
> > Fax: 305.397.2579
> > www.dotcms.com
> > http://www.twitter.com/dotCMS
> >
> > "Packt Publishing 2009 Finalist for Best Other Open Source CMS"
> >
> > Please consider the planet before printing this email.
> >
>
>  
>



--

dotCMS
Director of Enterprise Services & Support
Main: 305.858.1422
Direct: 786.594.5272
Fax: 305.397.2579
www.dotcms.com
http://www.twitter.com/dotCMS

"Packt Publishing 2009 Finalist for Best Other Open Source CMS"

Please consider the planet before printing this email.
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Michael fienen
In reply to this post by Mark Pitely
Probably the simplest solution would be to add some kind of host validation to the SubmitWebFormAction class. Before it sends the email, pull a list of the hosts in the system, check it against the origin URI for a match, reject if blank or some other hostname. Probably only take 8 or 9 lines.


MPF

----- Original Message -----

From: "Mark Pitely" <[hidden email]>
To: "dotcms" <[hidden email]>
Sent: Friday, March 18, 2011 12:07:51 PM
Subject: Re: [dotcms] dotCMS hacked - We are under attack!





Leon,
/src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java

is the code source, but I'm guessing you aren't a java developer otherwise you wouldn't need me to tell you where it was!

If that is too complicated, my suggestion would be to not use 'sendEmail' as your form action, rather, use some perl script or something like that to process the email request and send it. You would lose the backend content creation, but be safer.
There might be a way to intercept the output from (from within SubmitWebFormAction)
webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate, currentHost, currentUser);

that is, catch the call from dotCMS to your system mail, and validate there (look for a private hidden field or something like that), which would preserve the backend saving for your legitimate mails (but still leave you prone to getting spam in the CMS even if you didn't redirect it).
Again, what OS are you running your dotCMS on and what is your actual system mail process? Your mail administrator may be able to catch the incoming bad mails at the relay.
Mark




 
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

Jason Tesser-2
Great idea Michael.  This is the beauty of Open Source.

Thanks,
Jason Tesser
dotCMS Lead Development Manager
1-305-858-1422


On Mon, Mar 21, 2011 at 10:50 AM, Michael Fienen <[hidden email]>wrote:

>
>
> Probably the simplest solution would be to add some kind of host validation
> to the SubmitWebFormAction class. Before it sends the email, pull a list of
> the hosts in the system, check it against the origin URI for a match, reject
> if blank or some other hostname. Probably only take 8 or 9 lines.
>
> MPF
>
> ------------------------------
> *From: *"Mark Pitely" <[hidden email]>
> *To: *"dotcms" <[hidden email]>
> *Sent: *Friday, March 18, 2011 12:07:51 PM
> *Subject: *Re: [dotcms] dotCMS hacked - We are under attack!
>
>
>
>
> Leon,
> /src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java
>
> is the code source, but I'm guessing you aren't a java developer otherwise
> you wouldn't need me to tell you where it was!
>
> If that is too complicated, my suggestion would be to not use 'sendEmail'
> as your form action, rather, use some perl script or something like that to
> process the email request and send it. You would lose the backend content
> creation, but be safer.
> There might be a way to intercept the output from (from within
> SubmitWebFormAction)
> webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate,
> currentHost, currentUser);
>
> that is, catch the call from dotCMS to your system mail, and validate there
> (look for a private hidden field or something like that), which would
> preserve the backend saving for your legitimate mails (but still leave you
> prone to getting spam in the CMS even if you didn't redirect it).
> Again, what OS are you running your dotCMS on and what is your actual
> system mail process? Your mail administrator may be able to catch the
> incoming bad mails at the relay.
> Mark
>
>
>
>
>  
>
Reply | Threaded
Open this post in threaded view
|

Re: dotCMS hacked - We are under attack!

dchang_ca
In reply to this post by Michael fienen






We ran into this security vulnerability just last week. The best solution is for you to create a plugin that will override the default /dotCMS/sendEmail action with your own form handler. You can base it off of SubmitWebFormAction, but unfortunately, there are other problems with the implementation.

The way the sendEmail handler is written, a hacker can easily modify the POST form submission to set the "useCaptcha", "to" and "from" hidden input parameters to not only bypass validation, but to also modify who the sender and the recipient of the email will be. You will need to write custom logic in your web form action class to generate, at the very least, the "to" field to prevent hackers from sending emails on your behalf.

Hope that helps,
David

--- In [hidden email], Michael Fienen <mfienen@...> wrote:

>
> Probably the simplest solution would be to add some kind of host validation to the SubmitWebFormAction class. Before it sends the email, pull a list of the hosts in the system, check it against the origin URI for a match, reject if blank or some other hostname. Probably only take 8 or 9 lines.
>
>
> MPF
>
> ----- Original Message -----
>
> From: "Mark Pitely" <pitely@...>
> To: "dotcms" <[hidden email]>
> Sent: Friday, March 18, 2011 12:07:51 PM
> Subject: Re: [dotcms] dotCMS hacked - We are under attack!
>
>
>
>
>
> Leon,
> /src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java
>
> is the code source, but I'm guessing you aren't a java developer otherwise you wouldn't need me to tell you where it was!
>
> If that is too complicated, my suggestion would be to not use 'sendEmail' as your form action, rather, use some perl script or something like that to process the email request and send it. You would lose the backend content creation, but be safer.
> There might be a way to intercept the output from (from within SubmitWebFormAction)
> webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate, currentHost, currentUser);
>
> that is, catch the call from dotCMS to your system mail, and validate there (look for a private hidden field or something like that), which would preserve the backend saving for your legitimate mails (but still leave you prone to getting spam in the CMS even if you didn't redirect it).
> Again, what OS are you running your dotCMS on and what is your actual system mail process? Your mail administrator may be able to catch the incoming bad mails at the relay.
> Mark
>