Joomla-cms: Spam is sent using com_contact

Created on 13 Mar 2019 · 12Comments · Source: joomla/joomla-cms

This is https://github.com/joomla/joomla-cms/issues/20865 clone

Steps to reproduce the issue

Leave com_contact activated (default is activated). No contacts are defined and no menu items are defined to any contact. So on the site itself there is no way to e-mail a contact using com_contact and the default Joomla contactform.

Expected result

It is impossible that I receive any e-mail from com_contact and the default Joomla contactform.

Actual result

Spam e-mails are received from Russian and Chinese e-mail addresses (also see: forum.joomla.org/viewtopic.php?t=958667). Spambots are able to use com_contacts to send spam e-mails even when no contacts are defined on the website.

Acutal example of POST request body:

jform[contact_name]=msmith&jform[contact_email][email protected]&jform[contact_subject]=Waiting for your reply 00588&jform[contact_message]=You have a new answer to your question. Go to view - https://896.drive.google.com/open?---spamlinkdeleted---&jform[contact_email_copy]=1&option=com_contact&task=contact.submit&c638bbeab4934f6f160dfdecdb03fa3f=1

posted to:

index.php?option=com_contact&view=contact&id=1

System information (as much as possible)

Joomla 3.5-3.9.4

Additional comments

This is almost a security issue, because a provider I use may block my website when a lot of spam is comming from my website. So, this misuse of Joomla should not be possible by default.

J3 Issue No Code Attached Yet

Source

PavelGloba

Most helpful comment

I can confirm that, if in ID 1 is in Archived state, it's still reachable by
index.php?option=com_contact&view=contact&id=1

As is intended. Archived does not translate to unpublished or inaccessible on Joomla's frontend.

mbabker on 14 Mar 2019

👍3

All 12 comments

I can confirm I have been battling the same issue. I rarely use the contact component, so I have opted to just disable it on all of my Joomla websites.

travisrisner on 14 Mar 2019

No contacts are defined

I tried to reproduce this using a non-existent contact ID in the URL and I get a 404.

So, could you please verify that there's no record with ID 1 in com_contact in the published or archived state?

SniperSister on 14 Mar 2019

So, could you please verify that there's no record with ID 1 in com_contact in the published or archived state?

I can confirm that, if in ID 1 is in Archived state, it's still reachable by
index.php?option=com_contact&view=contact&id=1

In the Unpublished state, the URL gives a 404

jeckodevelopment on 14 Mar 2019

I can confirm that, if in ID 1 is in Archived state, it's still reachable by
index.php?option=com_contact&view=contact&id=1

As is intended. Archived does not translate to unpublished or inaccessible on Joomla's frontend.

mbabker on 14 Mar 2019

👍3

After looking back through sites I've known to have this occur, the bulk have been older sites that were built off of Joomla template quickstarts that probably had default data in the contact component. I don't see this happen with sites that were built from a blank slate.

I wouldn't mind seeing the installer in the future prompt the user about the core components and ask if they would like to be enabled.

travisrisner on 14 Mar 2019

So why did you leave sample data on the site.

brianteeman on 19 Mar 2019

Many "not so advanced" people do.
They create the website with sample data so it will be easier to simple adjust it than create everything from scratch. After - they just change everything they see (and that's not the case with com_contact AFAIK).