J3 Issue ?
avatar PavelGloba
PavelGloba
13 Mar 2019

This is #20865 clone

Steps to reproduce the issue

Leave com_contact activated (default is activated). No contacts are defined and no menu items are defined to any contact. So on the site itself there is no way to e-mail a contact using com_contact and the default Joomla contactform.

Expected result

It is impossible that I receive any e-mail from com_contact and the default Joomla contactform.

Actual result

Spam e-mails are received from Russian and Chinese e-mail addresses (also see: forum.joomla.org/viewtopic.php?t=958667). Spambots are able to use com_contacts to send spam e-mails even when no contacts are defined on the website.

Acutal example of POST request body:

jform[contact_name]=msmith&jform[contact_email]=msmith@uai.org.uk&jform[contact_subject]=Waiting for your reply 00588&jform[contact_message]=You have a new answer to your question. Go to view - https://896.drive.google.com/open?---spamlinkdeleted---&jform[contact_email_copy]=1&option=com_contact&task=contact.submit&c638bbeab4934f6f160dfdecdb03fa3f=1

posted to:

index.php?option=com_contact&view=contact&id=1

System information (as much as possible)

Joomla 3.5-3.9.4

Additional comments

This is almost a security issue, because a provider I use may block my website when a lot of spam is comming from my website. So, this misuse of Joomla should not be possible by default.

avatar PavelGloba PavelGloba - open - 13 Mar 2019
avatar joomla-cms-bot joomla-cms-bot - change - 13 Mar 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar PavelGloba PavelGloba - change - 13 Mar 2019
The description was changed
avatar PavelGloba PavelGloba - edited - 13 Mar 2019
avatar travisrisner
travisrisner - comment - 13 Mar 2019

I can confirm I have been battling the same issue. I rarely use the contact component, so I have opted to just disable it on all of my Joomla websites.

avatar SniperSister
SniperSister - comment - 14 Mar 2019

No contacts are defined

I tried to reproduce this using a non-existent contact ID in the URL and I get a 404.

So, could you please verify that there's no record with ID 1 in com_contact in the published or archived state?

avatar franz-wohlkoenig franz-wohlkoenig - change - 14 Mar 2019
Status New Information Required
avatar jeckodevelopment
jeckodevelopment - comment - 14 Mar 2019

So, could you please verify that there's no record with ID 1 in com_contact in the published or archived state?

I can confirm that, if in ID 1 is in Archived state, it's still reachable by
index.php?option=com_contact&view=contact&id=1

In the Unpublished state, the URL gives a 404

avatar mbabker
mbabker - comment - 14 Mar 2019

I can confirm that, if in ID 1 is in Archived state, it's still reachable by
index.php?option=com_contact&view=contact&id=1

As is intended. Archived does not translate to unpublished or inaccessible on Joomla's frontend.

avatar travisrisner
travisrisner - comment - 14 Mar 2019

After looking back through sites I've known to have this occur, the bulk have been older sites that were built off of Joomla template quickstarts that probably had default data in the contact component. I don't see this happen with sites that were built from a blank slate.

I wouldn't mind seeing the installer in the future prompt the user about the core components and ask if they would like to be enabled.

avatar franz-wohlkoenig franz-wohlkoenig - change - 17 Mar 2019
Status Information Required Discussion
avatar brianteeman
brianteeman - comment - 19 Mar 2019

So why did you leave sample data on the site.

avatar franz-wohlkoenig franz-wohlkoenig - change - 22 Mar 2019
Category com_contact
avatar alex7r
alex7r - comment - 23 Mar 2019

Many "not so advanced" people do.
They create the website with sample data so it will be easier to simple adjust it than create everything from scratch. After - they just change everything they see (and that's not the case with com_contact AFAIK).

avatar HLeithner
HLeithner - comment - 23 Mar 2019

Has sample data the mail to sender option active?

avatar franz-wohlkoenig franz-wohlkoenig - change - 27 Mar 2019
Status Discussion Information Required
avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Apr 2019
Labels Added: J3 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 4 Apr 2019
avatar santyabreu
santyabreu - comment - 27 Jun 2019

Hello Friends.

Exactly same issue. Multiple SPAM is being sent using Joomla (last version) and contact. Here the POST entry:

image

I'm going to:

  1. unpublish the contact id=1 and see behavior..
  2. Change SMTP password.
  3. Wait for any new POST

Any security improvement to this?

avatar Quy
Quy - comment - 27 Jun 2019

If you don't use the Contacts component, then disable it.

avatar alikon
alikon - comment - 27 Jun 2019

i don't think we can do much more here
@Quy / @franz-wohlkoenig please close

avatar joomla-cms-bot joomla-cms-bot - change - 27 Jun 2019
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2019-06-27 17:19:32
Closed_By joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 27 Jun 2019
avatar Quy Quy - change - 27 Jun 2019
Status Closed Expected Behaviour
Closed_By joomla-cms-bot Quy
avatar joomla-cms-bot
joomla-cms-bot - comment - 27 Jun 2019

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/24187

Add a Comment

Login with GitHub to post a comment