vincent_g Posted December 3, 2019 Share Posted December 3, 2019 When you have /members/register.php available to the public to register as a new client the form does not check if the email address is an email address. How can that be? I had two new clients entered into the system which were nothing but spam. Every line was a spam containing a URL What else can be entered I wonder if that was possible? 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted December 4, 2019 Share Posted December 4, 2019 16 hours ago, vincent_g said: What else can be entered I wonder if that was possible? as the registration form template uses HTML5 email validation (type=email), under most circumstances the form should validate the format of the email address and throw an error if it's not correct... 16 hours ago, vincent_g said: What else can be entered I wonder if that was possible? if these spammers were using a browser that doesn't support these HTML5 input fields, they will be treated as normal input fields and text could be added to them with no email format validation occurring. enabling Google CAPTCHA (instead of WHMCS captcha) might be worth trying (though GR can be bypassed too!) - but ultimately if this becomes an issue, you might need to think about using additional validation to the form, e.g JavaScript validation or checks before the client is added to WHMCS). 0 Quote Link to comment Share on other sites More sharing options...
Damo Posted December 5, 2019 Share Posted December 5, 2019 19 hours ago, brian! said: if these spammers were using a browser that doesn't support these HTML5 input fields, they will be treated as normal input fields and text could be added to them with no email format validation occurring. If they’re posting without a browser then html 5 validation wouldn’t occur either. I have not looked but surely WHMCS is validating the input and not just assuming that it’s going to receive an email address. There have been other instances where WHMCS has not sanitised / validated input so at a guess it just accepts anything. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted December 5, 2019 Share Posted December 5, 2019 3 hours ago, Damo said: I have not looked but surely WHMCS is validating the input and not just assuming that it’s going to receive an email address. i'm not aware of any additional checks on the email address that occur during registration - other than those specified in the template. 0 Quote Link to comment Share on other sites More sharing options...
vincent_g Posted December 5, 2019 Author Share Posted December 5, 2019 The email address was valid but this is what was entered In addition I received no email of this account being created. Client info First name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79 Last Name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79 Company Name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79 Email address: anja.zinke@gmx.de Every entry will have the same line entered on all other inputs If you can enter this what else can be entered I wonder? 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted December 5, 2019 Share Posted December 5, 2019 1 hour ago, vincent_g said: The email address was valid but this is what was entered oh if the email address was valid, then I would suspect what you saw to be expected behaviour as the fields you list are just text fields with no formatting validation. - a user could enter those details in older versions, e.g v5.3, if they wanted to without causing an error. i've never been a big fan of enabling registration without ordering as for most circumstances it seems irrelevant - though some WHMCS users prefer registration without ordering as it suits their business model. 0 Quote Link to comment Share on other sites More sharing options...
vincent_g Posted December 15, 2019 Author Share Posted December 15, 2019 If your selling web design they will need to create an account without buying anything. After all we need to give them a proposal don't we? Lets have a proper system where we don't have people spamming the system. I'm also working on Cpanel - pushing them to try and fix the email alias / forwarder. This is a different issue. The problem with that is it forwards spam, emails from known bad senders. I have asked Google Gmail if the email addresses are real - if not then there is no way to block emails from such senders. Still waiting for a reply from Gmail Would be nice if we had support on issues like these 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted December 16, 2019 Share Posted December 16, 2019 11 hours ago, vincent_g said: If your selling web design they will need to create an account without buying anything. After all we need to give them a proposal don't we? as I said, it depends on your business model and site design - i've seen the above covered with WP forms and only if they get to accepting the proposal stage, does WHMCS become involved with registration, invoicing etc. 11 hours ago, vincent_g said: Lets have a proper system where we don't have people spamming the system. I can remember reading similar requests here 6 years ago... sadly, most of the flaws in the system back then are still in there now. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.