Spammers posting URLS with the IP plugin

[cmendla]

Over the last couple of days i've noticed that the IP plugin occasionally shows something other than an IP. Namely, it is a random six character word and a url. The url is

www QS3PE5Z GdxC9Io VKTAPT2 DBYpP kMKqfz . com <<< DANGER WILL ROBINSON.. I would NOT visit this URL..

NOTE - i added the spaces in the url so it would not be dangerous and clickable.

That URL show up when you do a whois search.

The ip from the plugin gets sent in the email. I didn't notice it until the site owner forwarded the email from the form to me. Google Mail killed the email as soon as I opened it. Apparently google is aware that the URL is from the dirty part of town.


I'm going to look at the validation for the IP and see if I can do anything to stop the behavior.

My reason for posting this is

• What is the best way to stop people from spoofing the IP plugin
• The plugin might need to be fixed as this isn't a direct security issue but it is passing what is probably a dangerous URL.
• Is this just plain old form spamming or are they up to something more.

thanks
chris

 

[cmendla]

I am trying the regex validation with \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b as per http://www.regular-expressions.info/examples.html

It also appears that I could use a php validation of

function validateIP($ip){return inet_pton($ip)!==false;}
per http://stackoverflow.com/questions/9608001/php-function-to-validate-ipv4-and-ipv6-using-regex


What I want is for the form submission to fail if the submitter is fudging their IP..



.

 

[cmendla]

Arrrggghhh

I have the particular form set to show a confirmation page after submission. When I added the regex validation, I just got a 'form saved' dialog box instead of my confirmation page. When I unpublished the regex validation, the confirmation page worked again.

The main goal here is to stop submissions where the sender has tampered with their IP for the plugin. The ip plugin version I am using is

3.1rc2. I'm not sure if an update would help. ​

​

 

[cmendla]

OK - had the regex wrong. - I tried /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/ and my test went through. Now I have to see if that blocks the spammers.

 

[cmendla]

UPDATE - I did some more testing.. If I try adding either a regex or isnumeric validation to the IP plugin, my redirect page does not work. I simply get a 'form saved' dialog.

I think that the validations part of the ip plugin is not working..

To re-summarize

• We really need the ip plugin for accountability and tracking purposes.
• It appears that there is a way hackers/spammers can spoof the ip plugin and replace it with URLs and text.
• Our form is set up with a confirmation page. (Redirect plugin).
• Other elements have notempty validations and they do not cause the redirect to fail.
• Joomla 2.5.20
• Reloaded from github. All fabrik content is 3.0.9.x

thanks

chris

 

[cmendla]

Friendly bump ...