Jump to content
vincent_g

WHMCS is not checking for valid email

Recommended Posts

When you have /members/register.php available to the public to register as a new client the form does not check if the email address is an email address.

How can that be?

I had two new clients entered into the system which were nothing but spam.

Every line was a spam containing a URL

What else can be entered I wonder if that was possible?

Share this post


Link to post
Share on other sites
16 hours ago, vincent_g said:

What else can be entered I wonder if that was possible?

as the registration form template uses HTML5 email validation (type=email), under most circumstances the form should validate the format of the email address and throw an error if it's not correct...

XUvzQbH.png

16 hours ago, vincent_g said:

What else can be entered I wonder if that was possible? 

if these spammers were using a browser that doesn't support these HTML5 input fields, they will be treated as normal input fields and text could be added to them with no email format validation occurring.

enabling Google CAPTCHA (instead of WHMCS captcha) might be worth trying (though GR can be bypassed too!) - but ultimately if this becomes an issue, you might need to think about using additional validation to the form, e.g JavaScript validation or checks before the client is added to WHMCS).

Share this post


Link to post
Share on other sites
19 hours ago, brian! said:

if these spammers were using a browser that doesn't support these HTML5 input fields, they will be treated as normal input fields and text could be added to them with no email format validation occurring.

If they’re posting without a browser then html 5 validation wouldn’t occur either. 
 

I have not looked but surely WHMCS is validating the input and not just assuming that it’s going to receive an email address. 
 

There have been other instances where WHMCS has not sanitised / validated input so at a guess it just accepts anything. 

Share this post


Link to post
Share on other sites
3 hours ago, Damo said:

I have not looked but surely WHMCS is validating the input and not just assuming that it’s going to receive an email address. 

i'm not aware of any additional checks on the email address that occur during registration - other than those specified in the template.

Share this post


Link to post
Share on other sites

The email address was valid but this is what was entered

In addition I received no email of this account being created.

Client info

First name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79

Last Name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79

Company Name: Invest $ 8962 and get $ 5645 every month: https://earn-2btc-per-day.blogspot.nl?l=79

Email address:  anja.zinke@gmx.de

Every entry will have  the same line entered on all other inputs

If you can enter this what else can be entered I wonder?

Share this post


Link to post
Share on other sites
1 hour ago, vincent_g said:

The email address was valid but this is what was entered

oh if the email address was valid, then I would suspect what you saw to be expected behaviour as the fields you list are just text fields with no formatting validation. - a user could enter those details in older versions, e.g v5.3, if they wanted to without causing an error.

i've never been a big fan of enabling registration without ordering as for most circumstances it seems irrelevant - though  some WHMCS users prefer registration without ordering as it suits their business model.

Share this post


Link to post
Share on other sites

If your selling web design they will need to create an account without buying anything.

After all we need to give them a proposal don't we?

 

Lets have a proper system where we don't have people spamming the system.

I'm also working on Cpanel - pushing them to try and fix the email alias / forwarder.

This is a different issue.

The problem with that is it forwards spam,  emails from known bad senders.

I have asked Google Gmail if the email addresses are real - if not then there is no way to block emails from such senders.

Still waiting for a reply from Gmail

Would be nice if we had support on issues like these

Share this post


Link to post
Share on other sites
11 hours ago, vincent_g said:

If your selling web design they will need to create an account without buying anything. After all we need to give them a proposal don't we?

as I said, it depends on your business model and site design - i've seen the above covered with WP forms and only if they get to accepting the proposal stage, does WHMCS become involved with registration, invoicing etc.

11 hours ago, vincent_g said:

Lets have a proper system where we don't have people spamming the system.

I can remember reading similar requests here 6 years ago... sadly, most of the flaws in the system back then are still in there now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated