Print Page | Close Window

SQL attacks or coincidence

Printed From: ProductCart E-Commerce Solutions
Category: ProductCart
Forum Name: Using ProductCart
Forum Description: Running your store with ProductCart
URL: https://forum.productcart.com/forum_posts.asp?TID=5249
Printed Date: 09-March-2025 at 7:05pm
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com


Topic: SQL attacks or coincidence
Posted By: M Robles
Subject: SQL attacks or coincidence
Date Posted: 10-August-2012 at 3:16pm
Today I received three "Tell a friend" notifications hours apart for products which are random and items we never sell. I hardly ever receive TaF notifications and I find it suspicious. Should I be worried that someone is trying to get into my store?


Replies:
Posted By: Greg Dinger
Date Posted: 10-August-2012 at 4:44pm
It is fairly common that spammers will attack the TAF page, exploiting it with an automated process to send spam.
 
When they do that, it's been our practice to turn off TAF in the store, rename the file (thus hiding it) for some days until the spammer goes away.
 
Left available for them, if they continue to exploit the page, your mail server can be blacklisted, and your site can be found to be violating your host's terms of  use agreement. 
 
As a note, we recently build script modifications that allow the merchant to dictate the number of consecutively repeated uses of the contact page, and of the authorize.net page, before we redirect the offender to an error page.  This was in response to the sorts of issues where stores are being used to test stolen credit cards, and some flake who tried to exploit a client's contact page.
 
Both of these solutions are available for purchase if anyone needs them.


-------------
GreyBeard Design Group

Certified ProductCart Developer

Web Design/Development/Hosting

http://tinyurl.com/5c8t4t" rel="nofollow - Add-Ons & Custom Code |

Posted By: Hamish
Date Posted: 11-August-2012 at 7:46am
The Tell-A-Friend has by default a captcha code, unless you explicitly disable it ( in recent versions of ProductCart anyway). That should deter all but the most determined attempts at abusing the page to send messages as it needs human interaction. Its the old old story, there are so many websites out there that are vulnerable they will almost always move on to an easier target if there is a Captcha code.

-------------
Editing ProductCart Code?

See http://wiki.earlyimpact.com/developers/editcode" rel="nofollow - WIKI Guidelines for Editing ProductCart's ASP Source Code


Posted By: Greg Dinger
Date Posted: 11-August-2012 at 9:18am
Hamish, as a point of interest, the store where we built in a defense mechanism last month (against abuse of the contact page) was fairly current (4.1) and had CAPTCHA engaged.  CAPTCHA did nothing to slow the attack.  The merchant became weary of deleting e-mails and had us cut them off at 3 submissions from any given IP.

-------------
GreyBeard Design Group

Certified ProductCart Developer

Web Design/Development/Hosting

http://tinyurl.com/5c8t4t" rel="nofollow - Add-Ons & Custom Code |


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.04 - http://www.webwizforums.com
Copyright ©2001-2021 Web Wiz Ltd. - https://www.webwiz.net