Comments on: PXS Mail Form – WP Plugin

By: Phrixus

Phrixus — Wed, 14 Sep 2005 07:59:31 +0000

Ok, thats fine so just to confirm, for the ‘referrer checking’, the script should check that the POST data originated on the server itself and if there are any red flags raised anywhere, the script should just stop and not bother to send the junk?

By: Justin Perkins

Justin Perkins — Wed, 14 Sep 2005 03:06:35 +0000

No I don’t think logging is that important, at least not for me and clients I have set up with WP and this great plugin

By: Phrixus

Phrixus — Tue, 13 Sep 2005 22:12:30 +0000

Good points Justin, would it also be useful to maintain a basic log perhaps that could be viewed in the control panel? Something along the lines of registering the number of mails sent, the number that were red flagged and the number of mails that didn’t pass the referrer check? If so, would just a basic count be preferable or a more detailed output?

By: Justin P

Justin P — Tue, 13 Sep 2005 20:54:19 +0000

Just checking the HTTP_REFERER server variable is all that is needed, maybe comparing it against some other server variables like SERVER_NAME and/or SCRIPT_NAME would be a good comparison that doesn’t require hardcoding the expected referring URL.

I would even go so far as to raise a red flag not to send the email at all if any fields have a carriage return in them (except the message field). Maybe that’s a better approach since just stripping unwanted characters doesn’t stop the spam from arriving in my inbox.

By: Phrixus

Phrixus — Mon, 12 Sep 2005 22:12:18 +0000

Hi Justin, the post does not do any referrer checking. If you have any ideas for implementing this. I would be happy to look into it.

By: Justin P

Justin P — Mon, 12 Sep 2005 21:30:30 +0000

Thanks for the quick response Phrixus, I’m curious if your update does any referrer checking on the post?

I’ve fixed the carriage return vulnerability, but am still getting flooded with junk mail from kiddies attempting to exploit this issue.

By: WordPress Station

WordPress Station — Mon, 12 Sep 2005 19:04:16 +0000

PXS Mail Form

Phrixus
Has updated their email contact form plugin, built off of Ryan Duff’s excellent wp-contactform plugin. PXS includes additional checks over the original plugin, as well as the option to turn off the embeded CSS, and use your own.

…

By: Phrixus

Phrixus — Mon, 12 Sep 2005 18:50:52 +0000

PLUGIN UPDATED
See the main post above for details of changes and the option to download the new version.

By: Justin Perkins

Justin Perkins — Mon, 12 Sep 2005 03:27:21 +0000

This contact form is vulnerable to form hacking, explained better here:
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

A new version should be released ASAP to correct this gaping vulnerability.

By: Jason

Jason — Mon, 12 Sep 2005 01:35:47 +0000

Phrixus, I feel like an idiot but I figured out the problem. I had copied the options-pxsmail.php into the /wp-content/plugins/ directory and not the /wp-admin/ directory. So should anyone else do a bonehead install of this plugin, the fix would be to follow the instructions more carefully. Works great now, Thanks.