We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 20407
    • 82 Posts
    MrFussyfont Reply #1, 9 years ago
    I have a client on Revo 2.2.15 who started getting emails from their FormIt contact form showing the Modx variables like this:
    Name: 1"
    Title: [[+title]]
    Company: [[+company]]
    Phone: [[+phone]]
    Email: [[+email]]
    Message:
    [[+text]]
    We found corresponding requests like this:
    "POST /company/contact.html HTTP/1.1" 200 7786 "-" "-"
    The form is using the spam and validation hooks as well as a honeypot. We've blocked the IP address of this user. Is there anything else we could/should do? Also, can someone explain how an attack like this works given the POST example above?

    Thanks,
    Wes [ed. note: MrFussyfont last edited this post 9 years ago.]
      • 30585
      • 833 Posts
      Can you post your Formit call here as well the content of your email tpl. There may be something being overlooked.
        A MODx Fanatic
        • 20407
        • 82 Posts
        MrFussyfont Reply #3, 9 years ago
        Quote from: treigh at Mar 17, 2015, 01:40 AM
        Can you post your Formit call here as well the content of your email tpl. There may be something being overlooked.
        Here is the contact page:
        [[!FormIt?
           &hooks=`spam,email,FormItAutoResponder,redirect`
           &emailTpl=`contactFormChunk`
           &emailTo=`[email protected]`
           &emailSubject=`Message from Contact Form`
           &store=`1` &redirectTo=`41`
           &fiarTpl=`contactFormAutoResponse`
           &fiarSubject=`Your message to (Company Name)`
           &fiarFrom=`[email protected]`
           &fiarFromName=`domain.name`
        ]]
        <p class="error hidden">[[+fi.error.error_message]]</p>
        <form action="[[~[[*id]]]]" method="post">
            <label for="name" class="left">Name	[[+fi.error.name]] 
             	<input type="text" size="30" maxlength="40" name="name:required" id="name" value="[[+fi.name]]" /></label> 
        	 <label for="title">Title</label>
            	<input type="text" size="20" maxlength="30" name="title" id="title" value="[[+fi.title]]" />
        <div class="clear" >
           <label for="email" class="left">Email  [[+fi.error.email]]
            <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" /></label>
          <label for="phone">Phone  [[+fi.error.phone]] 
            	<input type="text" size="20" maxlength="20" name="phone:required" id="phone" value="[[+fi.phone]]" /></label>
        </div>
          <label class="clear" for="company">Company <input type="text" size="30" maxlength="50" name="company" id="company" value="[[+fi.company]]" /></label>
            <label for="text">Message [[+fi.error.text]]</label>
            <textarea name="text:required:stripTags" id="text" cols="55" rows="7">[[+fi.text]]</textarea>
         <label class="catalogLabel" for="catalog"><input type="checkbox" id="catalog" name="catalog" value="NO" /> Please mail me  your Industrial Supplies catalog </label>
        <label class="catalogLabel" for="safetyCatalog"><input type="checkbox" id="safetyCatalog" name="safetycatalog" value="NO" /> Please mail me your Safety Equipment catalog </label>
         <div id="addressDiv" class="hidden">
             <label for="address">Mailing Address</label>
           <textarea name="address:stripTags" id="address" cols="30" rows="6">[[+fi.address]]</textarea>
        </div>
          <input id="faker" type="text" name="comments:blank" value="" /> 
          <input type="submit" value="Send Message" />
        </form>
        

        Here is contactFormChunk (quoted version in my OP is shortened; this is the whole thing):
        <b>Name:</b> [[+name]]<br />
        <b>Title:</b> [[+title]]<br />
        <b>Company:</b> [[+company]]<br /> 
        <b>Phone:</b> [[+phone]]<br />
        <b>Email:</b> [[+email]]<br />
        <b>Send E-News:</b> [[+e-news:empty=`NO`]]<br />
        [[+catalog:notempty=`<b>Send Catalog:</b> YES<br />`]] 
        [[+safetycatalog:notempty=`<b>Send Safety Catalog:</b> YES<br />`]] 
        <b>Mailing Address:</b>
        <pre>[[+address]]</pre><br />
        <b>Message:</b>
        <pre>[[+text]]</pre> 
        

        Note that this has been working well for years. This is the first time anything like this has happened.
          • 30585
          • 833 Posts
          Not sure if it's related, but I noticed that your fields are expecting a validation of some sort e.g. name:required, but your call doesn't include the validation property. Why don't you try either one of the following to see what you get:

          With validation:
          [[!FormIt?
             &hooks=`spam,email,FormItAutoResponder,redirect`
             &emailTpl=`contactFormChunk`
             &emailTo=`[email protected]`
             &emailSubject=`Message from Contact Form`
             &store=`1` 
             &redirectTo=`41`
             &fiarTpl=`contactFormAutoResponse`
             &fiarSubject=`Your message to (Company Name)`
             &fiarFrom=`[email protected]`
             &fiarFromName=`domain.name`
             &validate=`name:required,
                email:email:required,
                phone:required,
          ]]
          


          Or remove the validation requirement from your fields just for testing purposes.
            A MODx Fanatic
            • 3749
            • 24,544 Posts
            Do you have the allow_tags_in_post System Setting off? If things still work with it off, it might help.

            &clearFieldsOnSuccess=`1` might also help, though the hackers are probably making sure the submission is not successful.

            IIRC, FormIt makes sure to entify any tags in the post, so the hacker will only see the unprocessed tags. No sensitive information will be exposed.
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 20407
              • 82 Posts
              MrFussyfont Reply #6, 9 years ago
              Quote from: treigh at Mar 17, 2015, 04:35 AM
              Not sure if it's related, but I noticed that your fields are expecting a validation of some sort e.g. name:required, but your call doesn't include the validation property.
              Thanks. The validation works, but I think it's using an older style that's deprecated and going to be removed in a future version. So I should probably change it.
                • 20407
                • 82 Posts
                MrFussyfont Reply #7, 9 years ago
                Quote from: BobRay at Mar 17, 2015, 07:54 AM
                Do you have the allow_tags_in_post System Setting off?
                Yes.
                &clearFieldsOnSuccess=`1` might also help, though the hackers are probably making sure the submission is not successful.
                Probably useless, since my form redirects (docs say "will clear the fields on a successful form submission that does not redirect").

                IIRC, FormIt makes sure to entify any tags in the post, so the hacker will only see the unprocessed tags. No sensitive information will be exposed.
                You mean HTML tags? But with allow_tags off there won't be any tags anyway.
                Thanks for the suggestions.
                • W. Shawn Wilkerson Reply #8, 9 years ago
                  Instead of the title Formit Exploit this should have been named Formit Stops Exploit with unintended results.

                  The person attempted to do a simple mysql injection.

                  A simple change would have stopped them in their tracks.

                    <label for="email" class="left">Email  [[+fi.error.email]]
                      <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" />


                  Should have been:

                    <label for="email" class="left">Email  [[+fi.error.email]]
                      <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" required="required" />


                  The :required in the name attribute is for Formit to process which has to be submitted to take effect.

                  The required="required" tells the browser to not accept a submit request at all until the condition is met.

                  You can also add minimum lengths and other attributes for the field input to provide further protection.

                  I would suggest moving to HTML5 in the near future as it has a more robust form subsystem.

                  You also might want to consider updating Revo and the packages.
                    Get your copy of MODX Revolution Building the Web Your Way http://www.sanitypress.com/books/modx-revolution-building-the-web-your-way.html

                    Check out my MODX || xPDO resources here: http://www.shawnwilkerson.com
                    • 20407
                    • 82 Posts
                    MrFussyfont Reply #9, 9 years ago
                    Shawn, thank you for your suggestions. Yes, the site is old and should be updated to HTML5. However, my understanding is that the attacker was not using a standard browser (no user agent in the log), so browser-based protections would have no effect. Am I wrong?
                    • W. Shawn Wilkerson Reply #10, 9 years ago
                      Quote from: MrFussyfont at Mar 17, 2015, 02:55 PM
                      Shawn, thank you for your suggestions. Yes, the site is old and should be updated to HTML5. However, my understanding is that the attacker was not using a standard browser (no user agent in the log), so browser-based protections would have no effect. Am I wrong?

                      The submit button would not work in the vast majority of scenarios. It is better to catch it on the page instead of waiting for the PHP backend to grab it.

                      Of course the best is multiple layers.
                        Get your copy of MODX Revolution Building the Web Your Way http://www.sanitypress.com/books/modx-revolution-building-the-web-your-way.html

                        Check out my MODX || xPDO resources here: http://www.shawnwilkerson.com