Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 10-12-2013 09:53:21

asackett
Member
Registered: 07-30-2013
Posts: 7

How To Disable Email Friend?

Our site just got whacked by a spammer by way of the emailfriend function (URL ending in "app=ecom&ns=emailfriend"), leaving our mail server blacklisted and the mail queue a mile deep. Naturally, I've firewalled out the attacker's IP address and shut down the mail server for the time being. I can't leave the mail server down forever, and as soon as the attacker finds another zombie outside of the firewalled netblock he'll be back again. I've just changed the setting "Display Email a Friend Link" to false, but I suspect that this simply removes the link rather than disabling the function entirely. If this is the case it won't do what I need done as the spammer's bot has already got the URL of the function.

How would I go about completely disabling that function so that no matter what gets posted to that URL no mail is sent?

Offline

 

#2 10-14-2013 03:39:56

curve
Member
Registered: 08-21-2009
Posts: 8

Re: How To Disable Email Friend?

Would appreciate an update on this too, I've just had the same issue.

Thanks,

Pete

Offline

 

#3 10-14-2013 09:53:17

asackett
Member
Registered: 07-30-2013
Posts: 7

Re: How To Disable Email Friend?

For the time being, I'm using this in .htaccess:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} emailfriend [NC]
    RewriteRule ^(.*)$ - [F,L]
</IfModule>

I'd rather kill the thing within CCP, though.

Offline

 

#4 10-14-2013 11:41:51

curve
Member
Registered: 08-21-2009
Posts: 8

Re: How To Disable Email Friend?

Thanks asackett.

Can we please get a response on this, Kryptronic?  Or have you stopped supporting v7?  If you have, when are you planning on running support for v8 until?

Offline

 

#5 10-14-2013 13:28:33

asackett
Member
Registered: 07-30-2013
Posts: 7

Re: How To Disable Email Friend?

curve wrote:

Thanks asackett.

You're welcome. I'm happy to help.

It looks like the abuser is targeting ClickCartPro specifically. The first appearance from the remote host was not preceded by any apparent scans appearing in the logs, and no requests for the target URL in the past week from anything that isn't a well known search engine. This leads me to believe that the attacker grabbed the URL from a well known search engine -- and if this is the case, lots of CCP users are going to have this problem.

Had I known that my client was using this feature I'd have disabled it long ago. Refer-A-Friend features have been widely exploited since the mid-1990's and have no business being deployed on the web today.

Offline

 

#6 10-20-2013 15:03:39

Belaird
Member
From: Reading, PA
Registered: 06-29-2007
Posts: 66

Re: How To Disable Email Friend?

I'm seeing the same exploit. I want to know I can disable this in ccp 7?


Also thanks for the rewrite rule that helped. I notice it doesn't work in ccp8, probably because it handled differently.
I did catch the ip that was sending this stuff  if that helps: 112.202.21.192

Last edited by Belaird (10-20-2013 21:13:38)


Natural Horse Magazine
wwwnaturalhorse.com

Offline

 

#7 10-21-2013 10:36:23

asackett
Member
Registered: 07-30-2013
Posts: 7

Re: How To Disable Email Friend?

Belaird wrote:

Also thanks for the rewrite rule that helped. I notice it doesn't work in ccp8, probably because it handled differently.

You're welcome. I don't have any other clients using CCP, so I don't know how CCP8 does things. If there's a specific URL for the function that you can share with me, I can probably craft another rewrite rule for you if you'd like.

Belaird wrote:

I did catch the ip that was sending this stuff  if that helps: 112.202.21.192

That's interesting. The one that hit my client was also in the netblock 112.202.0.0/17, which belongs to Philippine Long Distance Telephone.

Offline

 

#8 10-24-2013 07:21:14

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19509
Website

Re: How To Disable Email Friend?

We have a fix for this.  Basically the spammer is targeting the email a friend form and not specifying a product to email.  In version 8 this was addressed on launch (8.0.0) with newer/better coding in that version.  There is a patch for version 7.  To apply the patch, edit the file {private}/apps/ecom/ECOM_Prod/ECOM_Prod.php. 

In the prodshow() function, the first three instances of:

Code:

return 1;

Need to be changed to:

Code:

return false;

Then, in the emailfriend() function, look for:

Code:

$this->exec_namespace(array('app'       => 'ecom',
                                      'namespace' => 'prodshowint',
                                      'type'      => '*',
                                      'params'    => null));

if ($this->debug) {$this->debugger("prodshowopt: Printed product detail display.");}

Change to:

Code:

$result = $this->exec_namespace(array('app'       => 'ecom',
                                      'namespace' => 'prodshowint',
                                      'type'      => '*',
                                      'params'    => null));

if ($this->debug) {$this->debugger("prodshowopt: Printed product detail display.");}

if (empty($result)) {$this->print_message('ecom','invaliditem'); return 1;}

Nick Hendler

Offline

 

#9 10-24-2013 09:41:19

curve
Member
Registered: 08-21-2009
Posts: 8

Re: How To Disable Email Friend?

Thanks Nick, appreciate your help on this.

with the

Code:

return 1;

instances, are we talking about the following lines, or should I only be changing the first 3 lines that have only that code on the line?

Code:

2679 if (!($this->store_active(1))) {return false;}
2749 return false;
2773 if (($this->IsError($colstring)) || (empty($colstring))) {return false;}

Thanks,

Pete

Offline

 

#10 10-25-2013 08:52:12

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19509
Website

Re: How To Disable Email Friend?

The first three instances that read 'return 1;' need to be changed to 'return false;'.


Nick Hendler

Offline

 

#11 10-29-2013 15:22:18

asackett
Member
Registered: 07-30-2013
Posts: 7

Re: How To Disable Email Friend?

webmaster wrote:

Basically the spammer is targeting the email a friend form and not specifying a product to email.  In version 8 this was addressed on launch (8.0.0) with newer/better coding in that version.

So then, after the spammer reads this and updates his bot to incorporate a product ID (scraped from the target site) in the query string he'll be back in business again and this whack-a-mole game will continue into the next round? I really, really don't want to find myself explaining to my client that their SMTP server got blacklisted because I ripped out my 100% solution to replace it with a vulnerability that I was aware of when I did it.

That said, I do appreciate your response and the effort that went into it. Be well!

Offline

 

#12 10-30-2013 08:37:37

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19509
Website

Re: How To Disable Email Friend?

The spammers are targeting the form with a blank product id because there's no product information sent in the message.  I have not seen a case where they actually used a valid product with product information in the message.


Nick Hendler

Offline

 

#13 10-30-2013 15:53:11

jimoe
Member
Registered: 08-18-2010
Posts: 103

Re: How To Disable Email Friend?

I note that emailfriend() always returns true. Shouldn't it return false unless it actually succeeds sending an email?

Offline

 

#14 10-31-2013 08:10:40

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19509
Website

Re: How To Disable Email Friend?

It actually should return true.


Nick Hendler

Offline

 

Board footer