Possible phpLis exploit? Spam sign-ups through a back door??

Once you've installed phpList Version 2... ask questions here!
Forum rules
Please help the volunteers to help you by supplying the version of phpList you are using, browser & version and if possible, a link to your phpList installation. This is for Version 2 of phpList (the orange one).

Possible phpLis exploit? Spam sign-ups through a back door??

Postby peterf » 10:30pm, Tue 06 Mar, 2007

(sorry, posted this in 'Add ons' by accident!)


We have a standard recent phpList install, and have been getting numerous spurious 'sign-ups' in the form of HTML spam, like this: (the URL has been obfuscated to deny them any trackable breadcrumbs.

teroi gmail com has subscribed

Subscribe page: 2
State = Arizona
Prefix = hello world "THERE'S HTML HERE, but the forum won't post it"
First Name = hello world "THERE'S HTML HERE, but the forum won't post it"
Middle Name = hello world "THERE'S HTML HERE, but the forum won't post it"
Last Name = hello world "THERE'S HTML HERE, but the forum won't post it"
etc etc

List Membership:

* List 1
* List 2
* List 3
* List 4
* List5


------ End of Forwarded Message


We've noted that every one of these hits all five available lists.

We have implemented an HTML block on the sign-up FORM, without successfully blocking these, so it appears that they are posting directly to phpList, rrather than manipulating the form.

Has anyone else had similar problems, and / or can anyone point us toward a solution. While this is currently at nuisance levels, there is the obvious potential for DoS and other attacks...

Many thanks

PF
pet erf a t m ac c om


also:
Just an addendum to Peter's post above.

When a spammer joins, they seem to join all 5 public lists from the get-go, but no form exists where all 5 lists are selectable, that may only be accomplished via the profile editor page.

If the subs to all 5 were being accomplished via the profile editor, then I'd get a "Lists information changed" email, but I do not.

This leads us to believe that spammers are using some kind of exploit or back door to register and insert HTML into profile fields.
peterf
phpLister
 
Posts: 10
Joined: 6:45pm, Mon 22 Jan, 2007

Postby H2B2 » 11:34pm, Tue 06 Mar, 2007

You might find this an interesting thread: http://forums.phplist.com/viewtopic.php?t=3402
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Postby peterf » 11:46pm, Tue 06 Mar, 2007

H2B2 wrote:You might find this an interesting thread:...



Indeed
Many thanks!
If the phpBB search was a wee bit more thorough, I might have found this before ;-)

PF
peterf
phpLister
 
Posts: 10
Joined: 6:45pm, Mon 22 Jan, 2007


Return to Question & Problems - after installing

Who is online

Users browsing this forum: No registered users and 4 guests