Security leak discovered by my host

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Stefan118
    New Member
    • Dec 2010
    • 18
    • 4.0.x

    Security leak discovered by my host

    Not sure if this post belongs in this forum or in vB5 Connect Support & Troubleshooting

    Today i got this e-mail from my webhoster:

    Dear Stefan118,
    The contact form on (mywebsite.nl), your website is currently being misused by hackers to send spam

    Contact form:


    Because your contact form is being misused, we have put the contact form on your website offline.

    You or your webdesigner must update the contact form to a new version and the contact form must use ReCaptcha (is better than the Captcha currently being used) so that it can no longer be misused.

    Let us know what you will do, then we will put the contact form online again.

    Hope to have informed you sufficiently,
    Sincerely,

    My webhoster.
    Now i'm running vB 5.5.0, and am about to update to the most recent version 5.5.1, but was wondering if this issue is known, and if so, is it solved in 5.5.1?

    Regards,
    Stefan.
    Last edited by Stefan118; Thu 4 Apr '19, 11:01am.
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #2
    I fail to see how this is a security risk. The Contact Us form can only send emails to the addresses set up under Settings -> Options -> Site Name / URL / Contact Us. However, Recaptcha or Human Verification is a default setting for non-registered users on new vBulletin installations. This feature has been available for over a decade now. Human Verification also applies to the Contact Us form. You can see this by clicking the Contact Us link in the footer of this page while not logged into the site. It appears that you have turned this off. To re-enable it you should follow these steps.
    1. Go to Settings -> Options -> Human Verification Options.
    2. Make sure all Options are checked except maybe Search. Checking Search means that Guest Users cannot use the search box in the header.
    3. Go to Usergroups -> Usergroup Manager.
    4. Edit the Guest Usergroup.
    5. Make sure that "Require Human Verification on Configured Actions" is set to Yes.
    6. Save the Permissions at the bottom of the page.
    7. Go to Settings -> Human Verification Options.
    8. Set up one of the different Verification Methods. I suggest using Recaptcha v2.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Stefan118
      New Member
      • Dec 2010
      • 18
      • 4.0.x

      #3
      I checked some things:
      The contact form is indeed offline (the send buttom does not work anymore. Has been set to www.mysite.nl/#)
      Only our own info e-mail address has been set.
      In Settings -> Options -> Human verification options only Recover lost password was not checked.
      The "Require human verification" on Usergroup options was and is set to yes, however, by registered users who did not confirm their account it was set to no!
      I indeed was not using ReCaptcha v2, but image verification.

      I copied your post into my reply to the ticket of my host.

      Comment

      • Mark.B
        vBulletin Support
        • Feb 2004
        • 24286
        • 6.0.X

        #4
        The first thing I'd be doing if a host disabled part of my website without advising me FIRST, would be to find another host.
        vBulletin is installed on many, many thousands of websites worldwide, and the contact form is used without issue.

        ReCaptcha2 should be used, not image verification, as image verification generally has been 'crackable' for quite some time.
        MARK.B
        vBulletin Support
        ------------
        My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
        My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...