[Plugin: Custom Contact Forms] Spam can be sent through CCF

5.1.0.2 has the issue as well. I had 5.1.0.1 and got an email sent to me by someone from spamcop. I then checked my plugins and there was an update to 5.1.0.2 and I updated to it and turned postfix off to monitor the message queues. A few minutes later I had a few thousand emails in my queues. After updating my server more, scanning for rootkits, and looking around for hours I decided to disable the plugin and my queues now remain empty and things seem to be back to normal for the time being. I really enjoy this plugin and hope that the hole is found and patched up.

Well, I know exactly where the problem lies, and it’s only reliably fixable by removing some functionality (and the corresponding code). Unfortunately the author neither responds in this forum nor to the advertised email address, nor via the contact form on his website.

What to do? I suggest mark the plugin as “does not work” until this problem is resolved.

That’s a real shame since its a great plugin. I have since switched to the secure contact form. I just hope my ip doesn’t get blacklisted. I noticed that email gets sent via user 33 www-data and the page sending the email wasn’t located on my server. Do you know if the exploit gives the attacker access to the physical system?

I have not conducted a serious review of the code. (What I have done is to prove to myself that the flaw exists, and that was sufficient for me.) However, the exploit that I have discovered does not rely on any access to the underlying system.

I noticed the same issue just by reviewing the HTML code generated by the form. There is no way you should use this plugin in it’s current state as it acts as turning your web server into an open relay.

Furthermore, the new captcha feature does nothing whatsoever to mitigate the problem. If anything, it makes it worse because people believe that CCF must be safe,

I have not had this issue. I simply use the Are you human check box. And have never gotten spam.

The “are you human” checkbox is also irrelevant to the problem. CCF can be used to make your website send spam to third parties. As a side-effect you get a copy of every single email, too.

If the author cared enough to contact me we could get this resolved within hours. I have tried to contact the author using their advertised email address, via their advertised website, via a support ticket, and most recently via a review.

Is there an update to this problem? Any news would be useful.

Sadly even with version 5.1.0.3 I can still route spam through anyone else’s Custom Contact Form. No login required.

Thanks for the heads-up. I suggest you disclose the exploit – it took me five minutes to find it and I’m not the smartest guy around.

It’s so obvious, it actually hurt.

I second that the exploit should be disclosed — if it is what I think it is, then it’s so obvious that we aren’t risking revealing anything to spammers that their botnets can’t already detect plain as day. I edited custom-contact-forms-front.php as follows. I’m a PHP novice, so can you let me know if this is enough to secure the form, or is there more to the exploit?

I replaced:

$dest_email_array = $this->getDestinationEmailArray($form->form_email);

with:

$dest_email_array;