English 中文(简体)
ASP.NET security issues, maybe Umbraco related, but most likely just general security issue
原标题:

I have an incredibly frustrating problem cleaning up my site at the moment. On the same hosting space I have Umbraco (ASP.NET) and Blab Lite (PHP Chatroom) installed. The former talks to SQL 2005, and the latter to MySQL 5.

On my Umbraco site I had a guestbook with an entry form. Upon postback it does an Akismet check and skips the creation/saving of the corresponding Umbraco document if it is verified by Akismet as spam.

However, recently I started getting entries created under my guestbook node which are verified as spam, and yet the document is still saved. I have even gone as far as hiding the form using "display:none" and yet these entries are still created! I have modified the DLL to include logging to Umbraco document event logs and somehow the creation of these still does not trigger any entries to the logs. I ve even created an eventhandler for Document.BeforeSave event in a separate assembly and this event handler is not catching the saving of these entries.

I m really stumped as to how the spammers can create these entries. Has anyone got any ideas how this can be done, and how I can secure my site to prevent this kind of attack?

Thanks, Dany.

最佳回答

This seems like an old post but it s not marked as answered so I ll give it a go. I havnt used Umbraco in a while so I m not sure if they ve fixed this in the latest version, but the problem is with Umbraco it self. Document.BeforeSave() gets fired AFTER the node is created, that s why your spam filter is not working. Marking the form as not visible wont work because the bot will look at the source code and just pattern match the form fields it finds. Have a look here for more details on the Umbraco problem:

http://forum.umbraco.org/yaf_postst9312_BeforePublish-and-BeforeSave-Event-Handlers.aspx

Like I said I haven t used Umbraco in ages, but hopefully it will help someone even if you ve found a fix.

Paul

问题回答

My guess is that there is a bug in your code to skip the creation/saving of the Umbraco document... although it is strange that the Document.BeforeSave event is not triggered. Are you sure that your event listeners are also working (i.e. do they register the saving of non-spam entries?)

By the way, setting "display:none" won t stop spammers as bots will generally ignore CSS anyway.

Yup, the event listeners are working indeed. This lead me to think something else is odd here. I finally took the plunge and went through it all with a finer-toothed comb. First I compared the content of the bin folder between standard Umbraco 4 distribution and the one on my host. I figured it was easiest to overwrite each one with a fresh one. Then I went through each Umbraco package I ve installed and made sure the DLLs are also fine. Well, there was 1 DLL that didn t match anything else in Umbraco or packages I ve installed - EO.Web.dll!

It seems there s a legit thing out there by EssentialObjects but I don t think Umbraco, my code, or any of the packages actually uses it! I deleted it and every part of my Umbraco install still works! I ve now set visibility of of the form in ascx markup so it s not rendered - now we wait and see if that was the offending piece of malware!





相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

热门标签