search

CalderaWP / Caldera-Forms

Drag and drop, responsive WordPress form builder.
https://CalderaForms.com
GNU General Public License v2.0
187 stars 163 forks source link

BOT SPAM bypassing basic field validation #2590

Closed SpoiltNX closed 6 years ago

SpoiltNX commented 6 years ago

Caldera Forms Version : 1.6.1.1 & 1.7

PHP Version : 7.1

Description of Setup:

We use Caldera Forms in conjunction with WP Contact Slider. The form is available in a slider pop-out and on its own dedicated page.

Fields: Normal contact form style fields, name, email, where did you hear about us...

Processors: Auto Responder, Redirect

SPAM protection: Basic honey pot

Description of Problem

We have never had a spam problem, until today. We have been seeing a sudden influx of submissions where all fields are set to the value "1" including fields with validation on theme like Email.

EG:

Name

1

Email

1

Contact Number

1

Action taken:

We have identified the IP address through a hidden field and blocked it.

Apache Logs:

Below are some of the more interesting logs.

Please note it is company policy to remove any identifying information when publicly disclosing logs, so I have redacted with "xxx" some information.

./access.log:216.244.87.82 - - [07/Jun/2018:09:58:56 +0200] "POST /xxxxxx/?cf_su=1 HTTP/1.1" 403 909 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:58:55 +0200] "POST /xxxxxx/?cf_su=1 HTTP/1.1" 302 487 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:58:55 +0200] "POST /xxxxxx/?cf_su=1 HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:58:31 +0200] "GET /?cf_su=1_9593():;9132 HTTP/1.1" 301 523 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:58:07 +0200] "GET /?cf_su=9999486*10000264 HTTP/1.1" 301 519 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:57:37 +0200] "GET /?cf_su=acu5485%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca5485 HTTP/1.1" 200 20495 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:53:13 +0200] "GET /?cf_su=acux7947%C0%BEz1%C0%BCz2a%90bcxuca7947 HTTP/1.1" 200 20462 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:24:41 +0200] "POST /xxxxxx/?cf_su=JyI%3d HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:23:59 +0200] "POST /xxxxxx/?cf_su=1%00%c0%a7%c0%a2 HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:01:35 +0200] "POST /xxxxxx/?cf_su=if(now()%3dsysdate()%2csleep(33)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(33)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(33)%2c0))OR%22*/ HTTP/1.1" 403 909 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:01:36 +0200] "POST /xxxxxx/?cf_su=(select(0)from(select(sleep(33)))v)/*'%2b(select(0)from(select(sleep(33)))v)%2b'%22%2b(select(0)from(select(sleep(33)))v)%2b%22*/ HTTP/1.1" 403 909 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:09:01:33 +0200] "POST /xxxxxx/?cf_su=-1%22%20OR%202%2b515-515-1%3d0%2b0%2b0%2b1%20--%20 HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:59:07 +0200] "POST /xxxxxx/?cf_su=-1));select%20pg_sleep(5);%20--%20 HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:58:40 +0200] "POST /xxxxxx/?cf_su=%26nslookup%20bOgnhFho%26'%5c%22%600%26nslookup%20bOgnhFho%26%60' HTTP/1.1" 302 485 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:32:10 +0200] "POST /xxxxxx/?cf_su=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././ HTTP/1.1" 403 908 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:32:03 +0200] "POST /xxxxxx/?cf_su=.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd HTTP/1.1" 302 485 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:32:02 +0200] "POST /xxxxxx/?cf_su=/../..//../..//../..//../..//../..//etc/passwd%00.jpg HTTP/1.1" 403 908 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:31:59 +0200] "POST /xxxxxx/?cf_su=../../../../../../../../../../../../../../../proc/version HTTP/1.1" 403 909 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:08:09:14 +0200] "POST /xxxxxx/?cf_su=12345'\"\\'\\\");|]*%00{%0d%0a<%00>%bf%27'\xf0\x9f\x92\xa9 HTTP/1.1" 302 486 "https://www.xxxxxx.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:07:38:47 +0200] "POST /?wc-ajax=))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) HTTP/1.1" 200 5992 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
./access.log:216.244.87.82 - - [07/Jun/2018:00:02:52 +0200] "GET / HTTP/1.1" 200 20996 "() { Referer; }; echo -e \"Content-Type: text/plain\\n\"; echo -e \"\\0141\\0143\\0165\\0156\\0145\\0164\\0151\\0170\\0163\\0150\\0145\\0154\\0154\\0163\\0150\\0157\\0143\\0153\"" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"

PHP Logs

Below is the only PHP error logs that I can find that might be relevant to this. As there there only two entries and I have 70MB of access logs related to this one IP, so I am not sure the below is relevant and could possible be related to a plugin upgrade.

[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "NOTICE: PHP message: PHP Fatal error:  Uncaught Error: Call to undefined method Caldera_Forms_DB_Form::get_all() in /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/forms.php:248"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "Stack trace:"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#0 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/forms.php(175): Caldera_Forms_Forms::get_stored_
forms()"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#1 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/gdpr.php(121): Caldera_Forms_Forms::get_forms(fa
lse)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#2 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/gdpr.php(28): Caldera_Forms_GDPR::enabled_forms(
)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#3 /var/www/sites/www.xxxxx.com/public/wp-includes/class-wp-hook.php(286): Caldera_Forms_GDPR::register_gdpr('')"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#4 /var/www/sites/www.xxxxx.com/public/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#5 /var/www/sites/www.xxxxx.com/public/wp-includes/plugin.php(453): WP_Hook->do_action(Array)"

[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "NOTICE: PHP message: PHP Fatal error:  Uncaught Error: Call to undefined method Caldera_Forms_DB_Form::get_all() in /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/forms.php:248"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "Stack trace:"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#0 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/forms.php(175): Caldera_Forms_Forms::get_stored_
forms()"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#1 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/gdpr.php(121): Caldera_Forms_Forms::get_forms(fa
lse)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#2 /var/www/sites/www.xxxxx.com/public/wp-content/plugins/caldera-forms/classes/gdpr.php(28): Caldera_Forms_GDPR::enabled_forms(
)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#3 /var/www/sites/www.xxxxx.com/public/wp-includes/class-wp-hook.php(286): Caldera_Forms_GDPR::register_gdpr('')"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#4 /var/www/sites/www.xxxxx.com/public/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array)"
[07-Jun-2018 09:28:28] WARNING: [pool www-wp] child 20462 said into stderr: "#5 /var/www/sites/www.xxxxx.com/public/wp-includes/plugin.php(453): WP_Hook->do_action(Array)"

Expected Outcome

Submission entries should not have been created as they don't even pass basic validation. EG: email address.

Comments

Based on this we feel there is possibility of bug or issue related to Caldera Forms as the entries should not exist even if they are from a bot probing or trying different exploits.

Shelob9 commented 6 years ago

This is a really interesting find. Thank you.

Can you please try installing this as a plugin: https://gist.github.com/Shelob9/bd184ae701de55dcce2953107f914fa0

That should stop the submissions from invalid email addresses. If it stops the spams (make sure to test it does not stop legit submissions) than that's an easy fix we can put into 1.7.1.

SpoiltNX commented 6 years ago

@Shelob9 Thank you for your prompt response.

So upon further investigation we upgraded this issue from a SPAM issue to security issue. The emails were found to be a consequence of exploit probing not your classic form submission SPAM. Caldera Forms were a major target along with WooCommerce, but mostly Caldera Forms.

The best we can tell, some of these exploit probe requests would trigger some sort of error / change in behaviour and the form entries with all the fields filled in with a "1" seems to be a side effect.

Action Taken Since Last:

  1. We use WordFence and so we black listed the IP. We also saw in the logs that WordFence was regularly temporarily blocking the IP. Once we added the IP to the permanent Blacklist all evidence of the issue disappeared.
  2. After further investigation we saw that the bot was not giving up and was finding other non WP parts of our site as well so we decided to Block the IP through Apache. The attack continued for several hours after blocking. Based on the logs the total run time of the attack we can say was roughly 19 hours.

Questions:

  1. Why do we need to add additional email validation? We were of the assumption that Caldera Forms was doing Email address validation. Is there no server side email address validation?
  2. What do you need us to do to take this issue further? We have a lot of logs but they classic Apache logs and so we dont have access to the POST data and I think it was the POST data that triggered the problem.
Shelob9 commented 6 years ago

@SpoiltNX Thanks for the additional information. Nothing we can do if the hack is inside of your server. In my opinion a security plugin is papering over a larger issue - your host isn't filtering malicious traffic.

  1. Why do we need to add additional email validation? We were of the assumption that Caldera Forms was doing Email address validation. Is there no server side email address validation? I need to look, but I'm not sure there is server-side validation for it, if I'm right that's a bug.

  2. Other than me adding that check, I can't really help besides recommending that you switch to a better host. I use WPEngine and Pantheon. I'd also trust Kinsta or Pagely.

SpoiltNX commented 6 years ago

@Shelob9 We have several integrated systems on that domain, so we actually host our own site. I think filtering malicious traffic is really nice but a website should not be vulnerable, insecure or changing behaviour without it.

Server side validation for me is very important, the data that makes it through to the database should be valid as per the type defined in the settings. I believe I should be able to trust the data that is stored in my own database, I should not have to run additional validation and sanitisation when trying to use data stored in our own database.

We have verified that we were not compromised, the security plugin uses normal rule based monitoring were if X number of failed login attempts, 404 requests or some metric in Y time is logged, your IP gets blocked (status code 403) for Z amount of time. So to my knowledge there is no papering over taking place, but rather reducing the impact and frequency of the issue.

If I understand you correctly there is not much you can do or take action on and would require more clear cut and reproducible information?

SpoiltNX commented 6 years ago

Additionally you should also take note that we since have received two more submissions that made it through not part of an attack with invalid email addresses.

EG:

Name: itwriytp
Email: upepouuo
Contact Number: oueuwyop
Shelob9 commented 6 years ago

Close via edb2b3e #2638