Form handler vulnerability?
Author: Sinisa B.
Visited 1039,
Followers 1,
Shared 0
For the last few days I have been receiving messages via my online form that are obviously sent by bots: all "required" fields are sent empty, so it could not be sent by a site-visitor...
The form is protected by "reCAPTCHA".
I'm using 2023.3.5. version of the program.
Is this a known WSX5 form handler vulnerability and how it could be fixed?
Cheers!
Posted on the
Maybe fields are not empty.... just some hidden characters like ALT+255 for an hidden space.
Just place you mouse at the end of the sentence, and go back to the left with the mouse and left click activated. the hidden space are displayed (here in blue)... try on the sentence here.
Author
@Axel
Hi Axel, glad to see that you're alright!
No, there are no hidden characters there... cheers!
Hope to get a word of wisdom from Incomedia...
Yes... it's fine... thank you
So probably your form file has been hacked...
have you checked the logs to the provider ! could be interesting to see if there is some infos about your form manipulation.
Author
@ Axel
Thnx!!!
OK - I'll check with the hosting provider.
Old (PHP) scripts are easy to hack and WSX5 probably uses an old (PHP) form handler...
BTW - regarding the latest update - any chance that the fix for the form handler is in the update?
@ INCOMEDIA
Pls. check this issue out-THX!
This may be because the form is filled out and submitted first, and then the sender uses the browser's back button to fill out the form again. Whatever the reason... He then returns to the form page with the data he entered still in the fields. Here he can change data or enter new ones and also send them. However, neither the new data nor the old data will be included in the email! The contractor receives an email with no content (despite mandatory fields!); the client receives nothing because of a missing email address. In the email_log of the web host you will see the note "You must provide at least one recipient email address." entered. Resetting the fields using the “Reset” form button does nothing; also refreshing the login page with F5.
To avoid this, I previously solved it by opening the form in a showbox or in a popup window.
Author
@ Franz-Josef H.
Thank you very much for the detailed explanation.
Frankly, I never heard about this possibility: if the form has been submitted first, then I should receive the form data from the first attempt, right? Since the visitor cannot send the form without filling out the required fields and clicking reCAPTCHA, how can she/he submit the form at all?
My experience tells me that the form-handler script needs to be patched; as I wrote above, I hope that Incomedia will step in and check the script.
Again, thank you for your valuable comment!
Hello Sinisa
At the moment, our software is compatible with the ReCaptcha system up to v2.
Unfortunately, this version is slowly becoming outdated and it appears that some modern spam bot has recently started appearing online which can easily target this version.
We're currently working out the details to update this to v3 as to avoid the issue. At the moment though, if v2 Recaptcha is simply not enough, I can advise attempting to move the form to a different page or rename the page's URL and file name completely, since these bots seem to operate on a URL basis. Moving the form to a different page should stop this while the new Recaptcha version is integrated
Thank you
Stefano
Author
Hi Stefano,
Thank you for the feedback!
Well, it's a "single-page" website, so I don't have a contact form on a separate page.
Changing the URL of the page is not an option because it's an index page.
Stefano, could you give me an estimate when this reCaptcha v3 update could be available?
Thank you in advance for your reply!
BR, Sinisa
@Sinisa
recaptcha v3 is available since April 2018 so the dev must be very near to be close for us
https://developers.google.com/search/blog/2018/10/introducing-recaptcha-v3-new-way-to?hl=fr
Author
@ Axel
I know that.
That's why I'm using this software for my company webpage only, because to transfer it to the other platform will take me time that I can spend more usefully...
Hopefully, they will update the reCaptcha to the latest version soon... Cheers!
Hello Sinisa
I'm unfortunately unable to provide an expected date for the update, but can only confirm that the implementation is currently being worked on
As soon as news becomes available on the matter, it will be made known publicly directly on our changelog and the Help Center
I thank you for your patience as we work on this
Stefano