SPAMMER exploited `tell to friend' CC305 and shutdown website

[Guest Muslimin]

We like to alert CC users 3.0.5 about the occurence of a major SPAMMER exploiting `tell friend' email

feature to send spams to others and causing whole domain to shutdown by webhost.

Details were sent by our webhost:

2006-04-02 18:38:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

1FPzyg-0001Kw-F5

2006-04-02 18:38:38 cwd=/home/muslimin/public_html/tijarah/includes 3

args: /usr/sbin/sendmail -t -i

2006-04-02 18:38:38 1FPzyg-0001Ky-HZ <=

[email protected] U=nobody P=local S=1834 T="COMPANY

REP, REQUIRED" from <[email protected]> for

[email protected]

2006-04-02 18:38:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

1FPzyg-0001Ky-HZ

2006-04-02 18:38:38 cwd=/home/muslimin/public_html/tijarah/includes 3

args: /usr/sbin/sendmail -t -i

2006-04-02 18:38:38 1FPzyg-0001L0-Jd <=

[email protected] U=nobody P=local S=1836 T="COMPANY

REP, REQUIRED" from <[email protected]> for

[email protected]

2006-04-02 18:38:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

1FPzyg-0001L0-Jd

2006-04-02 18:38:38 cwd=/home/muslimin/public_html/tijarah/includes 3

args: /usr/sbin/sendmail -t -i

2006-04-02 18:38:38 1FPzyg-0001L2-LD <=

[email protected] U=nobody P=local S=1846 T="COMPANY

REP, REQUIRED" from <[email protected]> for

[email protected]

2006-04-02 18:38:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc

1FPzyg-0001L2-LD

2006-04-02 18:38:38 cwd=/home/muslimin/public_html/tijarah/includes 3

args: /usr/sbin/sendmail -t -i

2006-04-02 18:38:38 1FPzyg-0001L4-U0 <=

[email protected] U=nobody P=local S=1844 T="COMPANY

REP, REQUIRED" from <[email protected]> for

[email protected]

The website was SUSPENDED temporarily but the webhost managed to trace the problem and the spam attack was found.

It would be appreciated if we discuss or redirect us to other discussion threads regarding CC vulnerability to attacks and exploits such as spammers.

Thank you.

[Guest Brivtech]

We like to alert CC users 3.0.5 about the occurence of a major SPAMMER exploiting `tell friend' email

feature to send spams to others and causing whole domain to shutdown by webhost.

> Firstly, you are 5 versions out of date. Updates are issued on a regular basis as soon as security vunerabilities become known, so they may be fixed.

> For mail exploitation - How about suggesting that CubeCart adds in a restriction as to the number of "friends" that can be told about a product? Perhaps this could be set in the Admin General Settings area under Security.

Other general security rules:

> Always make regular backups both of the server files and databases. Take a recent backup off site to a secure location in case of fire or theft.

> Always keep credit card information safe (Including your own), and shred old receipts that you will not be claiming or handing to your accountant, so the card details are destroyed.

> Change your password regularly (Our server system has a pasword spin system that "spins the lock combination" every hour. With 256-bit encryption, and only 1 access point, it's almost impossible to access otherwiase. Bit over the top perhaps, but then again, we store people's credit card details.

> NEVER GIVE ANYONE YOUR PASSWORD! If you need to, change it immediately afterwards.

[Guest Muslimin]

Thanks Brivtech;

we are really keen on updating 305 to 308 since the out-of-the-box CC requires fixing.

However for our clients we just installed whatever come with Fantastico, and webhost update CC to 308

Your sugestion is probably really right. Since we are really familiar with 308, have they implement this feature?

------------------------------------------------

> For mail exploitation - How about suggesting that CubeCart adds in a restriction as to the number of "friends" that can be told about a product? Perhaps this could be set in the Admin General Settings area under Security.

-------------------------------------------------

We strongly suggest that CC should have the `access control' just like CMS (Drupal, Xoops etc) where admin can

1. enable/disable anonymous users from using `tell friend';

2. aprove/disapprove users registering with emails

3. SPAM module for CC (like they have for Drupal CMS) where it can detect spam activities

[convict]

Muslimin you are on the right track

I wrote this post just 2 mounths ago :o

[Guest]

The Tell A Friend feature is definitely dangerous. I removed it when I realized that it does absolutely no checking of the input or frequency of use at all. The way it came in my version (3.0.6) it was a perfect spam tool.

It would be easy to fix this code to check the input and limit the number of emails that can be sent in a specific period of time with sessions. Besides limiting the length of each field you can also check for text that would indicate header spoofing (MIME, BCC, etc.). I find that adding an error page that subtly mentions that the script is being monitored for abuse and shows the users (possibly fake) IP address chases spammers off to easier pickings.

The script as is also doesn't check whether the mail was actually sent successfully, which is also something simple that really should be added.

[Guest Muslimin]

ANOTHER EXPLOITABLE CC Script is mailList.inc.php

Delete this in includes/boxes or rename it to something .txt so that it is not executable

Morons always find ways to shutdown somebody else's website

We belive the spammers had the intention of shutting down the whole site, not just sending useless viagra or casino spams.

And they found all the PHP scripts they could