Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. Plugins & Extensions
  4. message form "security" hack

message form "security" hack

1 Apr 04, 2009 18:12    

I had an installation where a malicious user was hitting all the "message form" links from commenters and trash-talking the person who owned the installation. So I came up with a simple hack after turning off the message form feature in the profiles of all the registered bloggers.

In /skins/_item_comment.inc.php (or /skins/yourskin/_item_comment.inc.php) find this bit: 

$Comment->author();
$Comment->msgform_link( $Blog->get('msgformurl') );
$Comment->author_url( '', ' · ', '' );


Now replace it with this bit: 

$Comment->author();
if( is_logged_in() ) {
	$Comment->msgform_link( $Blog->get('msgformurl') );
}
$Comment->author_url( '', ' · ', '' );


Very simply, this means that ONLY registered members will be able to contact anyone who leaves a comment and leaves the "allow contacts" feature enabled. Now the malicious person who used the message form feature to trash-talk the blogger won't be able to because that person is not a registered member of the installation.

Back to top

3 Apr 04, 2009 21:56

A really paranoid person would add the check to htsrv/message_send.php as well ;)

/**
 * Includes
 */
require_once dirname(__FILE__).'/../conf/_config.php';

require_once $inc_path.'_main.inc.php';
if( !is_logged_in() )
{
  die 'spammer'; // if only it was that easy huh?
}

¥

Back to top

4 Apr 04, 2009 22:00

Yeah that's good! In my case the malicious individual was stupid enough to use the internet to harass a biker lawyer, meaning harassment is likely to lead to either getting beat up or sued, so I didn't give it much thought re directly calling the message form. Plus that installation uses turingtest so I had to deal with an actual stupid human ;)

Back to top

5 Apr 04, 2009 22:02

If darwin was alive he'd probably write a book about them ;)

¥

Back to top


Form is loading...