Security Problem With Form Addon & Standard SPPB Captcha
kweb
Hello, I use the contact form addon from SPPB with the standard captcha on over 100 websites. This has worked for years without any problems. For about 1 month now I have been receiving more and more spam requests from various websites. Today the support of my server wrote to me with the following content:
Dear Mr. .... As we have just discovered during maintenance work on the server, spam mails are being sent via your customer account using a PHP script. We would like to draw your attention to the fact that this is not permitted here.
Please check the scripts used on your account immediately, as they have been misused to send spam due to a security vulnerability.
The suspicious script is:
/www/htdocs/xxx/xxx/libraries/vendor/phpmailer/phpmailer/src/PHPMailer.php
The call was made via:
The “Captcha” (3+4=?) is very easy to bypass as it is not randomly generated. This gives attackers the chance to create an infinite loop after calculating the simple math task once.
In this case, we recommend that you update to a more recent (more secure) version or install additional protection (captcha). We recommend Google ReCaptcha, for example.
By sending such e-mails, you are not only harming other customers, but also yourself, as the server could be listed in popular spam lists due to such a case and thus the regular sending of e-mails is severely impaired.
Web access for the above script has been deactivated for the time being.
In a reply to this e-mail, please contact us as soon as possible so that we can close this ticket and let us know what measures you have taken to secure your web space so that such an incident does not happen again.
Are there any plans to work on this to make standard Captcha more secure? Is using recaptcha the only way to solve this?
kweb
Ziaul Kabir
Accepted AnswerHello kweb,
Thank you for reaching out to us. We sincerely apologize for the inconvenience you have experienced. To address this issue, we recommend upgrading both your Joomla and SP Page Builder installations, as recent updates include enhanced security features specifically for form submissions.
Additionally, we suggest using Google reCAPTCHA instead of the default captcha, as it is one of the most effective solutions for preventing spam submissions. Or you can use Google invisible recpatcha or hCaptcha, If you choose hCaptcha, you need to install this hCaptcha extension, after this you will see it on form capctha option.
If you have any further questions or need assistance, please feel free to ask.
Best regards,
kweb
Accepted AnswerHi Ziaul, the latest versions have been installed. Only recaptcha solved this problem. You should think about it to implement a changing spam protection. Well now I have to change all my 100 sites to a new captcha method.
Ziaul Kabir
Accepted AnswerHello kweb,
Thank you for the update, and I completely understand the challenge of updating multiple sites. We appreciate your feedback on spam protection and will certainly take your suggestion into account for future improvements. Implementing more adaptable and advanced security measures, is a priority for us.
If you need any assistance, feel free to reach out.
Best regards,