dotCMS hacked - We are under attack!

>
>
> Our websites has been hacked!
> Hackers use our Sign Up and Contact Us forms to send spam mails.
> All our websites, which are made with dotCMS, are experiencing this
> problem. Spammers don't fill the forms on the website. They copy the forms
> somehow, fill them with spam, and POST them through our server, thus
> avoiding client side form validation (special characters in comments field,
> etc.)
>
> The question - Is it possible in dotCMS, to add some server side validation
> of the content, which is sent via these forms?
>
> We have the following code on the client side:
> <form id="signup" name="signup" method="post" action="/dotCMS/sendEmail" />
> I thought that I could add some validations to sendEmail, but I could not
> locate it on the server!?
> Where is it?
> Any solutions?
> Help Please..!!
>
>  
>

>
>
> Brad - that's not his problem.
> They are submitting a form directly to the /sendEmail function, bypassing
> any validation.
> I suspect we are all subject to this sort of attack if  the sendEmail
> process doesn't require the POST data to be coming from the server itself -
> which I always assumed it did, but I guess that's what I deserve.
> I could make my own 'form' on my server (or in a PHP process), following
> all the dotCMS rules and just change the action field from /dotcms/sendEmail
> to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> through however I like. See?
> He's not hacked, he's just being used as an anonymous email relay.
>
> Leon - have you tried setting a top-level redirect (Virtual Link?) for the
> sendEmail to a dead place to at least stop this for now?
>
> Leon - what version of dotCMS are you running?
> Mark
>
>
>  
>

>
> This was an issue in 1.7a but it's not an issue in Enterprise 1.7 or 1.9.
>
>
>
> On Fri, Mar 18, 2011 at 8:44 AM, Mark Pitely <pitely@...>wrote:
>
> >
> >
> > Brad - that's not his problem.
> > They are submitting a form directly to the /sendEmail function, bypassing
> > any validation.
> > I suspect we are all subject to this sort of attack if  the sendEmail
> > process doesn't require the POST data to be coming from the server itself -
> > which I always assumed it did, but I guess that's what I deserve.
> > I could make my own 'form' on my server (or in a PHP process), following
> > all the dotCMS rules and just change the action field from /dotcms/sendEmail
> > to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> > through however I like. See?
> > He's not hacked, he's just being used as an anonymous email relay.
> >
> > Leon - have you tried setting a top-level redirect (Virtual Link?) for the
> > sendEmail to a dead place to at least stop this for now?
> >
> > Leon - what version of dotCMS are you running?
> > Mark
> >
> >
> >  
> >
>
>
>
> --
>
> dotCMS
> Director of Enterprise Services & Support
> Main: 305.858.1422
> Direct: 786.594.5272
> Fax: 305.397.2579
> www.dotcms.com
> http://www.twitter.com/dotCMS
>
> "Packt Publishing 2009 Finalist for Best Other Open Source CMS"
>
> Please consider the planet before printing this email.
>

>
>
> Maria,
>
> Is this issue exists in Community 1.9?
>
> Leon
>
>
> --- In [hidden email], Maria Ahues Bouza <maria@...> wrote:
> >
> > This was an issue in 1.7a but it's not an issue in Enterprise 1.7 or 1.9.
> >
> >
> >
> > On Fri, Mar 18, 2011 at 8:44 AM, Mark Pitely <pitely@...>wrote:
>
> >
> > >
> > >
> > > Brad - that's not his problem.
> > > They are submitting a form directly to the /sendEmail function,
> bypassing
> > > any validation.
> > > I suspect we are all subject to this sort of attack if the sendEmail
> > > process doesn't require the POST data to be coming from the server
> itself -
> > > which I always assumed it did, but I guess that's what I deserve.
> > > I could make my own 'form' on my server (or in a PHP process),
> following
> > > all the dotCMS rules and just change the action field from
> /dotcms/sendEmail
> > > to 'http://SomeoneElsesCMSwebpage/dotcms/sendEmail' and push the mail
> > > through however I like. See?
> > > He's not hacked, he's just being used as an anonymous email relay.
> > >
> > > Leon - have you tried setting a top-level redirect (Virtual Link?) for
> the
> > > sendEmail to a dead place to at least stop this for now?
> > >
> > > Leon - what version of dotCMS are you running?
> > > Mark
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> >
> > dotCMS
> > Director of Enterprise Services & Support
> > Main: 305.858.1422
> > Direct: 786.594.5272
> > Fax: 305.397.2579
> > www.dotcms.com
> > http://www.twitter.com/dotCMS
> >
> > "Packt Publishing 2009 Finalist for Best Other Open Source CMS"
> >
> > Please consider the planet before printing this email.
> >
>
>  
>

>
>
> Probably the simplest solution would be to add some kind of host validation
> to the SubmitWebFormAction class. Before it sends the email, pull a list of
> the hosts in the system, check it against the origin URI for a match, reject
> if blank or some other hostname. Probably only take 8 or 9 lines.
>
> MPF
>
> ------------------------------
> *From: *"Mark Pitely" <[hidden email]>
> *To: *"dotcms" <[hidden email]>
> *Sent: *Friday, March 18, 2011 12:07:51 PM
> *Subject: *Re: [dotcms] dotCMS hacked - We are under attack!
>
>
>
>
> Leon,
> /src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java
>
> is the code source, but I'm guessing you aren't a java developer otherwise
> you wouldn't need me to tell you where it was!
>
> If that is too complicated, my suggestion would be to not use 'sendEmail'
> as your form action, rather, use some perl script or something like that to
> process the email request and send it. You would lose the backend content
> creation, but be safer.
> There might be a way to intercept the output from (from within
> SubmitWebFormAction)
> webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate,
> currentHost, currentUser);
>
> that is, catch the call from dotCMS to your system mail, and validate there
> (look for a private hidden field or something like that), which would
> preserve the backend saving for your legitimate mails (but still leave you
> prone to getting spam in the CMS even if you didn't redirect it).
> Again, what OS are you running your dotCMS on and what is your actual
> system mail process? Your mail administrator may be able to catch the
> incoming bad mails at the relay.
> Mark
>
>
>
>
>  
>

>
> Probably the simplest solution would be to add some kind of host validation to the SubmitWebFormAction class. Before it sends the email, pull a list of the hosts in the system, check it against the origin URI for a match, reject if blank or some other hostname. Probably only take 8 or 9 lines.
>
>
> MPF
>
> ----- Original Message -----
>
> From: "Mark Pitely" <pitely@...>
> To: "dotcms" <[hidden email]>
> Sent: Friday, March 18, 2011 12:07:51 PM
> Subject: Re: [dotcms] dotCMS hacked - We are under attack!
>
>
>
>
>
> Leon,
> /src/com/dotmarketing/cms/webforms/action/SubmitWebFormAction.java
>
> is the code source, but I'm guessing you aren't a java developer otherwise you wouldn't need me to tell you where it was!
>
> If that is too complicated, my suggestion would be to not use 'sendEmail' as your form action, rather, use some perl script or something like that to process the email request and send it. You would lose the backend content creation, but be safer.
> There might be a way to intercept the output from (from within SubmitWebFormAction)
> webForm = EmailFactory.sendParameterizedEmail(parameters, toValidate, currentHost, currentUser);
>
> that is, catch the call from dotCMS to your system mail, and validate there (look for a private hidden field or something like that), which would preserve the backend saving for your legitimate mails (but still leave you prone to getting spam in the CMS even if you didn't redirect it).
> Again, what OS are you running your dotCMS on and what is your actual system mail process? Your mail administrator may be able to catch the incoming bad mails at the relay.
> Mark
>