[#27066] - com_contact default setting allows spam
- Closed
- 13 Nov 2019
- Medium
- Build: 3.9.12
- # 27066
Steps to reproduce the issue
On 2 separate Joomla installs a contact was created without amending the default Contact Component settings. The email address for the contact was subsequently spammed with the website user first using /index.php?option=com_contact&view=contact&id=1 to check the contact existed. Then posted to the form which is available by default.
Expected result
Contact can't be emailed unless the form is enabled, and secured with Captcha
Actual result
The form was available to view and no Captcha or anti-bot mechanism was enabled
System information (as much as possible)
Fresh install, no changes made to Contact Configuration except a contact was created. Joomla 3.9.12
Additional comments
Web hosts see this as spam activity and one client's account was suspended. In both traffic came from the same IP addresses.
joomla-cms-bot
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-11-13 18:05:18 |
| Closed_By | ⇒ | Quy |
Maybe the settings shouldn't be enabled by default in the first place?
If you dont have a contact on the site then there isnt even any need to disable it
Duplicate #24187. If you don't use the Contacts component, then disable it.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27066.