Magento Forum

Can this be a security issue? 
 
SonicE
Member
 
Avatar
Total Posts:  47
Joined:  2007-11-08
Bulgaria
 

Hi all, we have a production site and everyday we get lot of SPAM via product review form. All this happens only on one product in our store. So I have disabled this product (Status: Inactive, Visibility: Nowhere). This doesn’t solve the problem. The spammers are not using the review form of the product. They just use the post url of the form to send spam reviews to the store.

http://www.como.bg/review/product/post/id/833/

I think it is a script that sends via POST directly to this URL. And the questions are:
1. How is it possible to add a review for a inactive product.
2. Is there a way to make writing reviews possible for customers only.
3. Integrating of some kind security check (captcha or something similar) is on the first place.

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
SonicE
Member
 
Avatar
Total Posts:  47
Joined:  2007-11-08
Bulgaria
 

No one with answer here......

 
Magento Community Magento Community
Magento Community
Magento Community
 
erict
Member
 
Total Posts:  31
Joined:  2008-07-21
 
SonicE - 05 August 2008 04:44 AM

No one with answer here......

The developers very, very rarely bother with these threads… unfortunately, unless someone here has already solved your issue and is hanging around to share (or you feel like shelling out the money for Varien support, which seems to be the point of this software), you’re probably out of luck.

A quick and dirty suggestion would be to find the validate() function here…

app/code/core/Mage/Review/Model/Review.php

...and add a conditional to see if the user is logged in; if not, add an error.  You could try checking for this:

Mage::getModel(’customer/session’)->getCustomerId()

I’m not sure what it returns when a user isn’t logged in, but presumably it’s something that evaluates to false.  You could also create that test in an observer and try to attach it to the before_save event on a review, though I don’t see an _eventPrefix in that class, so I’m not sure whether it actually fires.

Hope this helps!

 
Magento Community Magento Community
Magento Community
Magento Community
 
sdb
Sr. Member
 
Avatar
Total Posts:  223
Joined:  2007-11-13
coastal California, USA
 

Think of inactive as invisible. It’s there, you just can’t see it. They’re probably still finding it via a search engine I would think. Which is also probably why the spam targets that 1 item, a keyword search. Is the item in your sitemap maybe?

I don’t know of how to help you other than to suggest disabling comments because I’m not much of a programmer.

 
Magento Community Magento Community
Magento Community
Magento Community
 
srinigenie
Guru
 
Avatar
Total Posts:  539
Joined:  2008-02-04
 

I noticed this too .... it does look a bit weird to show the actual product IDs on ony the review page.... maybe we need to get a bug logged

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top