[pmwiki-users] Vulnerability being exploited

Wed Jan 3 13:39:32 CST 2007

Apparently I was wrong about "a vulernability is being exploited on the 
top-level script." Criss, who helped me upgrade to the latest version of 
PmWiki, tells me:

    The way the mailform works, people *can't* get your email address. 
    Your email address is in the config file, not anywhere a spammer
    could get to it.

But after the upgrade, I'm still getting about 15 spams each day. Here's 
an example:

 <a href="http://www.spazioforum.it/forums/cayman.html">viagra online</a> [url=http://www.spazioforum.it/forums/cayman.html]viagra online[/url] <a href="http://www.spazioforum.it/forums/gtcup.html">buy levitra</a> [url=http://www.spazioforum.it/forums/gtcup.html]buy levitra[/url] <a href="http://www.spazioforum.it/forums/carrera.html">viagra cheap</a> [url=http://www.spazioforum.it/forums/carrera.html]viagra cheap[/url] <a href="http://www.spazioforum.it/forums/cayenne.html">buy generic viagra</a> [url=http://www.spazioforum.it/forums/cayenne.html]buy generic viagra[/url] <a href="http://www.spazioforum.it/forums/boxster.html">generic cialis</a> [url=http://www.spazioforum.it/forums/boxster.html]generic cialis[/url]  cnk7inl180cn9n9 
-------------------------------------------/*
**This message was sent by the PmWiki MailForm at Comment.Home*/

But http://progressiveresourcecatalog.org/index.php/Comment.MailformWh 
no longer exists. I deleted it and substituted "To contact the 
Progressive Resource Catalog, send email to Wade Hudson, whudson AT igc 
DOT org." (See 
http://progressiveresourcecatalog.org/index.php/Comment.Home). How can I 
be getting spam from a mailform that is no longer on my site?

Using Thunderbird, I filter that spam into my Junk mail folder and 
periodically delete them. So it's no real problem for me and my web host 
no longer seems worried about a more serious vulnerability.

But this spam remains a curiosity that may be of interest to others and 
may be a problem that we can solve somehow. Could the spammers have 
captured what they need to use the mail form even though that page is no 
longer on the site?

Should I update my comments.php or my mailform recipe (they're both old)?

Thanks,
Wade

christian.ridderstrom at gmail.com wrote:

> On Thu, 21 Dec 2006, Wade Hudson wrote:
>
>> Dear pmwiki users:
>>
>> On my site, a vulernability is being exploited on the top-level 
>> script. About ten times a day, I receive spam that includes a number 
>> as the username and then has "@users.hostname.net" as the domain name.
>
>
> I'm not to clear on the details here. Are you saying that pmwiki.php 
> is being used to send spam?
>
> /Christian
>
>------------------------------------------------------------------------
>
>_______________________________________________
>pmwiki-users mailing list
>pmwiki-users at pmichaud.com
>http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20070103/98354602/attachment.html 