Name: 1"We found corresponding requests like this:
Title: [[+title]]
Company: [[+company]]
Phone: [[+phone]]
Email: [[+email]]
Message:
[[+text]]
"POST /company/contact.html HTTP/1.1" 200 7786 "-" "-"The form is using the spam and validation hooks as well as a honeypot. We've blocked the IP address of this user. Is there anything else we could/should do? Also, can someone explain how an attack like this works given the POST example above?
Can you post your Formit call here as well the content of your email tpl. There may be something being overlooked.Here is the contact page:
[[!FormIt? &hooks=`spam,email,FormItAutoResponder,redirect` &emailTpl=`contactFormChunk` &emailTo=`[email protected]` &emailSubject=`Message from Contact Form` &store=`1` &redirectTo=`41` &fiarTpl=`contactFormAutoResponse` &fiarSubject=`Your message to (Company Name)` &fiarFrom=`[email protected]` &fiarFromName=`domain.name` ]] <p class="error hidden">[[+fi.error.error_message]]</p> <form action="[[~[[*id]]]]" method="post"> <label for="name" class="left">Name [[+fi.error.name]] <input type="text" size="30" maxlength="40" name="name:required" id="name" value="[[+fi.name]]" /></label> <label for="title">Title</label> <input type="text" size="20" maxlength="30" name="title" id="title" value="[[+fi.title]]" /> <div class="clear" > <label for="email" class="left">Email [[+fi.error.email]] <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" /></label> <label for="phone">Phone [[+fi.error.phone]] <input type="text" size="20" maxlength="20" name="phone:required" id="phone" value="[[+fi.phone]]" /></label> </div> <label class="clear" for="company">Company <input type="text" size="30" maxlength="50" name="company" id="company" value="[[+fi.company]]" /></label> <label for="text">Message [[+fi.error.text]]</label> <textarea name="text:required:stripTags" id="text" cols="55" rows="7">[[+fi.text]]</textarea> <label class="catalogLabel" for="catalog"><input type="checkbox" id="catalog" name="catalog" value="NO" /> Please mail me your Industrial Supplies catalog </label> <label class="catalogLabel" for="safetyCatalog"><input type="checkbox" id="safetyCatalog" name="safetycatalog" value="NO" /> Please mail me your Safety Equipment catalog </label> <div id="addressDiv" class="hidden"> <label for="address">Mailing Address</label> <textarea name="address:stripTags" id="address" cols="30" rows="6">[[+fi.address]]</textarea> </div> <input id="faker" type="text" name="comments:blank" value="" /> <input type="submit" value="Send Message" /> </form>
<b>Name:</b> [[+name]]<br /> <b>Title:</b> [[+title]]<br /> <b>Company:</b> [[+company]]<br /> <b>Phone:</b> [[+phone]]<br /> <b>Email:</b> [[+email]]<br /> <b>Send E-News:</b> [[+e-news:empty=`NO`]]<br /> [[+catalog:notempty=`<b>Send Catalog:</b> YES<br />`]] [[+safetycatalog:notempty=`<b>Send Safety Catalog:</b> YES<br />`]] <b>Mailing Address:</b> <pre>[[+address]]</pre><br /> <b>Message:</b> <pre>[[+text]]</pre>
[[!FormIt? &hooks=`spam,email,FormItAutoResponder,redirect` &emailTpl=`contactFormChunk` &emailTo=`[email protected]` &emailSubject=`Message from Contact Form` &store=`1` &redirectTo=`41` &fiarTpl=`contactFormAutoResponse` &fiarSubject=`Your message to (Company Name)` &fiarFrom=`[email protected]` &fiarFromName=`domain.name` &validate=`name:required, email:email:required, phone:required, ]]
Not sure if it's related, but I noticed that your fields are expecting a validation of some sort e.g. name:required, but your call doesn't include the validation property.Thanks. The validation works, but I think it's using an older style that's deprecated and going to be removed in a future version. So I should probably change it.
Do you have the allow_tags_in_post System Setting off?Yes.
&clearFieldsOnSuccess=`1` might also help, though the hackers are probably making sure the submission is not successful.Probably useless, since my form redirects (docs say "will clear the fields on a successful form submission that does not redirect").
You mean HTML tags? But with allow_tags off there won't be any tags anyway.
IIRC, FormIt makes sure to entify any tags in the post, so the hacker will only see the unprocessed tags. No sensitive information will be exposed.
<label for="email" class="left">Email [[+fi.error.email]] <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" />
<label for="email" class="left">Email [[+fi.error.email]] <input type="text" size="30" maxlength="50" name="email:email:required" id="email" value="[[+fi.email]]" required="required" />
Shawn, thank you for your suggestions. Yes, the site is old and should be updated to HTML5. However, my understanding is that the attacker was not using a standard browser (no user agent in the log), so browser-based protections would have no effect. Am I wrong?